Elevated cyber threats are emerging for inadequately secured Operational Technology devices
In recent times, a concerning trend has emerged as state-linked and politically motivated threat groups have escalated attacks against drinking water and wastewater treatment sites in the United States.
These groups have targeted Israeli-made Unitronics programmable logic controllers, which are not only used in Israel but are also widely employed in U.S. facilities. The threat landscape for internet-exposed devices at U.S. industrial sites, particularly drinking water and wastewater treatment facilities, is vast and complex.
Current threats and vulnerabilities include exploitation via IT/OT convergence, sophisticated ransomware, legacy system weaknesses, third-party risks, and state-backed espionage and sabotage efforts. These vulnerabilities are actively exploited to disrupt critical infrastructure.
Key risk factors involve phishing attacks targeting engineers’ IT devices that bridge to Operational Technology (OT) systems, enabling lateral movement to control networks. Modern ransomware attacks now manipulate industrial processes directly, such as falsifying readings or locking controllers, effectively holding water treatment operations hostage.
Vendors and third-party contractors pose a significant supply-chain risk by providing indirect access to control networks through their devices. Many industrial environments still rely on legacy systems lacking modern security features like authentication or encryption, making them highly vulnerable once network access is gained.
The erosion of the air gap is notable, with internet exposure causing about 10% of Industrial Control System (ICS) attacks globally, highlighting weak perimeter defenses. Nation-state threat groups engage in espionage, long-term intelligence gathering, and preparatory positioning for future conflicts, with spyware and ransomware prominent in the threat landscape.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued recent advisories highlighting ongoing risks at critical industrial assets, including equipment widely used across U.S. facilities, emphasizing the urgency of improving defenses amid increased targeting by state-backed and freelance attackers.
Drinking water and wastewater treatment sites face these combined vulnerabilities and threats as critical infrastructure components with direct public health implications, making them attractive targets for politically motivated attacks aiming to disrupt or sabotage essential services.
To mitigate these risks, heightened industrial cybersecurity efforts are required. These measures include patching, network segmentation, enhanced access controls, threat monitoring, and incident readiness specifically tailored for OT environments in critical infrastructure sectors like water treatment. However, the process of implementing these measures takes time and long planning cycles.
Organizations are attempting to mitigate these risks through segmentation, various technologies, and tactics, but require more resources for monitoring, reaction, and implementation of necessary measures. The attacks conducted by OT-focused actors were not limited to public sector facilities but also affected private companies in various countries.
The devices interact with a variety of critical functions in OT systems, including temperature control and speed. These attacks are mainly targeting poorly secured devices that rely on outdated software or default passwords. Some of the earliest of these attacks were led by threat groups affiliated with the Islamic Revolutionary Guard Corp. of Iran.
In May, the FBI and Cybersecurity and Infrastructure Security Agency joined foreign partner agencies in issuing a warning about pro-Russia threat groups targeting water and other critical infrastructure by manipulating human machine interfaces. The attacks against water and wastewater treatment systems pose a significant threat to public health and safety.
Industrial providers often use infrastructure that is between 10 to 30 years old and lacks basic protections against modern threats. The risk goes beyond the water industry, as a range of industries use similar devices, including power plants and heating, ventilation, and air conditioning systems.
The use of outdated software and default passwords in industrial devices increases their vulnerability to cyber attacks. In late May, Rockwell Automation released an advisory urging customers to disconnect devices from the internet due to heightened geopolitical tension, without specifying any specific threats or attacks linked to the advisory.
As the threats against internet-exposed industrial devices at U.S. water treatment sites continue to evolve, it is crucial for organizations to stay vigilant, invest in robust cybersecurity measures, and collaborate with government agencies and industry peers to protect critical infrastructure and ensure the safety and security of our communities.
- The escalated attacks against drinking water and wastewater treatment sites in the United States have become a significant concern, with threat groups using cybersecurity threats such as exploitation via IT/OT convergence, ransomware, and state-backed espionage and sabotage.
- The threat intelligence gathered from these attacks reveals that state-linked and politically motivated groups, including those affiliated with the Islamic Revolutionary Guard Corp. of Iran, are targeting generally-used devices in the energy, finance, and industry sectors, including Unitronics programmable logic controllers.
- In light of these escalating threats, general-news sources emphasize the importance of cybersecurity measures tailored to Operational Technology (OT) environments in critical infrastructure sectors like water treatment. These measures include patching, network segmentation, enhanced access controls, threat monitoring, and incident readiness.
- Acknowledging the growing risks, both the United States Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation have issued recent advisories, warning about pro-Russia and other politically motivated groups targeting water treatment systems, posing a threat not only to public health and safety but also to critical infrastructure components in the energy, finance, and industry sectors.
