Opinion: America’s small-town water systems are global cyber targets. Is your city next?

Editor’s Note: Editor’s note: Robert M. Lee is CEO and co-founder of Dragos, a company that focuses on cybersecurity for operational technology environments. He also serves on the Department of Energy’s Electricity Advisory Committee as the vice chair of the DOE’s Grid Resilience for National Security Subcommittee, and is a member of the World Economic Forum’s subcommittees on Cyber Resilience for the Oil & Gas and Electricity communities. The views expressed in this commentary are his own. Read more opinion at CNN.

A group called Cyber Army of Russia Reborn posted a video on their Telegram channel January 18 showing they had manipulated controls for water tanks at a Texas water authority, it was recently reported. Specifically, they turned on water pumps by remotely altering water level indicators and caused a water tank to overflow in the small town of Muleshoe. The town of Abernathy also reported a water system hack, and the towns of Lockney and Hale Center said hackers tried to breach their water infrastructure but did not succeed.

Robert M. Lee - Dragos, Inc.
Robert M. Lee - Dragos, Inc.

This marked the second cyber threat group to impact US water authorities since November 2023, when CyberAv3ngers, a group that has exploited vulnerable internet-connected operational technology devices, launched global attacks on multiple water utilities, including a successful breach on systems in the small town of Aliquippa, Pennsylvania.

These attacks were quite different than hackers defacing government websites, which is disconcerting enough for those trying to secure sensitive portals. Yes, the water system attacks were technically unsophisticated, but they took control of physical processes.

Cybersecurity experts and the US government agree that adversarial national governments, with whom these groups ideologically align, have long had their sights set on attacking critical infrastructure in the United States.

Cyber Army of Russia Reborn, as their name reflects, associate themselves with Russia. And CyberAv3ngers has been linked by government agencies to Iran’s Islamic Revolutionary Guard Corps, which the US designated a foreign terrorist organization in 2019.

In February, the FBI confirmed that the China-backed threat group VOLTZITE, also known as Volt Typhoon, had infiltrated critical infrastructure in the US and around the world in preparation for future attacks targeting not just the water sector but critical communications infrastructure, energy and transportation systems going back to early 2023.

If this list of powerful hacking groups targeting small and vulnerable infrastructure gives you a Goliath vs. David vibe, you are not alone. The growing number and intensity of cyber attacks backed by adversarial nations targeting our critical infrastructure are of top concern to the public, industry and policymakers alike. The hackers’ motives are many: espionage and reconnaissance, deterrence by showing their capabilities, actual disruption of essential services and more.

Unlike how David was ready to take on Goliath, our most vulnerable critical infrastructure systems – including water infrastructure – are ill-prepared. In fact, as water facilities modernize, they will actually become even more vulnerable to attacks.

Today’s landscape is peppered with older – even antiquated – systems that are not digital and are not connected to the internet. Rehabilitation and replacement of aging water infrastructure is a top priority for the water sector and lawmakers, which means they will become massively more connected via internet-enable devices, giving attackers new access points. They will also start sharing more of the same systems – meaning adversaries can launch the same attack against multiple facilities rather than having to customize attacks for each facility.

But given that new technologies are the only option to replace systems that age out, plus the operational and financial benefits of digital transformation, it is unrealistic to go back in time and keep all water facilities completely disconnected or operate them manually.

The water attacks we’ve seen so far have not had serious consequences for the people they serve. However, both Cyber Army of Russia Reborn and CyberAv3ngers used unsophisticated methods, such as exploiting a default password, in their recent attacks.

Let there be no mistake: if a state-sponsored adversary – and there are many threat groups backed by Russia, China, North Korea and Iran – used more sophisticated tactics to disrupt water, the consequences could be severe.

The low level of cybersecurity at some water facilities not only let threat groups gain access but gave them the opportunity to learn about the systems, architectures and ways to gain control for future attacks on the next facility with vulnerable systems. Given how these groups have been exploring our systems’ operations and weaknesses, I expect we will see future cyberattacks that do indeed disrupt water treatment processes, corrupt water quality or cause physical damage to systems in a way that can harm people.

According to the EPA, 90% of the nation’s community water systems are small, public systems bringing water to 10,000 or fewer customers. As water industry representatives and lawmakers have both advised, they often lack adequate budgets for new equipment and technology, or to retain cybersecurity personnel or services. They consequently face the escalating threat environment without the expertise and technologies to fully address cybersecurity risk, including threats to their operational technology, such as the industrial control systems that operate water pumping stations.

Government and industry must coordinate more closely than ever to protect critical infrastructure and services, including water. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the FBI, National Security Agency, Environmental Protection Agency and other agencies routinely share advisories on vulnerabilities and guidance with industry and other stakeholders.

Yet water is still at risk. Unlike other critical infrastructure sectors that have well-developed cybersecurity standards, such as our electrical systems that are consistently targeted and lacking structures in place to fund investments, the water sector is only beginning its cybersecurity journey. Many water facilities lack the financial and workforce capacity to even prioritize and act on information about threats, let alone build defensible systems.

If we really want to help water utilities defend against cyber threats, we have to close the resource gap. Protecting your personal information in your water bill is important, but so is protecting your actual water. That means cybersecurity must protect operational technology and not just data systems. And costs for cybersecurity investment need to be recoverable through local government budget setting processes.

We can’t make utilities choose between reliability and security. Our communities need both.

But funding doesn’t solve everything. Water utilities need faster and easier access to cybersecurity tools and resources. Recent grant programs help, such as the Department of Homeland Security’s State and Local Cybersecurity Grant Program, but there are still hurdles to actually getting funding, including a long, burdensome process for federal money to reach utilities. Vendors are also looking at how they can give back to the community they serve. Critical infrastructure is an ecosystem, and by supporting the sectors most in need through tools and information sharing we are bolstering all sectors and supporting national security.

As I said in my testimony before Congress in February, we all have the same goal: safe and available water for ourselves, our families and our communities. We know what needs to be done. We just need to work together across industry and government to actually do it. We can’t wait for the next attack on our vulnerable water infrastructure, whether another small town with minimal defenses is targeted or a more sophisticated attack is launched on a large city’s systems.

For more CNN news and newsletters create an account at CNN.com