https://www.fastcompany.com/91002831/us-water-utilities-hacked-cybersecurity [p] * * Login Fast Company SUBSCRIBEsearch * Premium * Co.Design * Tech * Work Life * News * Impact * Podcasts * Video * INNOVATION FESTIVAL 360IF360 * * FastCo Works + Capital One + IBM + SAP close Login * Premium * Co.Design * Tech * Work Life * News * Impact * Lists * Financing the Future * Podcasts * Video Events * FC Grill at SXSW * Innovation Festival * Innovation Festival 360 fastco works * AMAZON BUSINESS * BOSTON SCIENTIFIC * CAPITAL ONE * COMCAST BUSINESS * Deloitte * DEPT * EPSILON * FIS * GUARDANT HEALTH * IBM * IEDC * PFIZER * SAP * STARBUCKS * SIEMENS * VERIZON * WELLS FARGO * FastCo Works An award-winning team of journalists, designers, and videographers who tell brand stories through Fast Company's distinctive lens Partnerships * FC Executive Board * Courses and Learning * FC Press AdvertiseNewslettersHelp CenterCurrent Issue Current magazine issue cover advertisement * 12-22-23 U.S. water utilities were hacked after leaving their default passwords set to '1111,' cybersecurity officials say The White House is sounding the alarm as critical U.S. infrastructure fails to implement even the most basic cybersecurity measures. [Source Photo: Getty Images] * * * * By Wilfred Chan4 minute Read Providers of critical infrastructure in the United States are doing a sloppy job of defending against cyber intrusions, the National Security Council tells Fast Company, pointing to recent Iran-linked attacks on U.S. water utilities that exploited basic security lapses. The security council tells Fast Company it's also aware of recent intrusions by hackers linked to China's military at American infrastructure entities that include water and energy utilities in multiple states. Neither the Iran-linked or China-linked attacks affected critical systems or caused disruptions, according to reports. "We're seeing companies and critical services facing increased cyber threats from malicious criminals and countries," Anne Neuberger, the deputy national security advisor for cyber and emerging tech, tells Fast Company. The White House had been urging infrastructure providers to upgrade their cyber defenses before these recent hacks, but "clearly, by the most recent success of the criminal cyberattacks, more work needs to be done," she says. Since the start of the Israel-Hamas war, an Iranian hacking group known as CyberAv3ngers has been targeting U.S. water utilities that use Israel-manufactured Unitronics programmable logic controllers--common multipurpose industrial devices used for monitoring and regulating water systems. "[Such infrastructure] is often forgotten about, neglected, or both and presents an attractive target for nation-states," says Gary Perkins, chief information security officer at cybersecurity firm CISO Global. The attacks hit at least 11 different entities using Unitronics devices across the United States, which included six local water facilities, a pharmacy, an aquatics center, and a brewery. After taking control of the devices, hackers replaced their screens with the message "You have been hacked, down with Israel. Every equipment 'made in Israel' is CyberAv3ngers legal target." Matthew Mottes, the board chairman at the Pennsylvania-based Municipal Water Authority of Aliquippa, which was hacked, told reporters that the water authority disabled the affected system after the attack, and there was no impact to the water supply for local residents. Some of the compromised devices had been connected to the open internet with a default password of "1111," federal authorities say, making it easy for hackers to find them and gain access. Fixing that "doesn't cost any money," Neuberger says, "and those are the kinds of basic things that we really want companies urgently to do." But cybersecurity experts say these attacks point to a larger issue: the general vulnerability of the technology that powers physical infrastructure. Much of the hardware was developed before the internet and, though they were retrofitted with digital capabilities, still "have insufficient security controls," says Perkins. advertisement Additionally, many infrastructure facilities prioritize "operational ease of use rather than security," since many vendors often need to access the same equipment, says Andy Thompson, an offensive cybersecurity expert at CyberArk. But that can make the systems equally easy for attackers to exploit: freely available web tools allow anyone to generate lists of hardware connected to the public internet, like the Unitronics devices used by water companies. "Not making critical infrastructure easily accessible via the internet should be standard practice," Thompson says. But just taking water hardware offline--what security professionals call "air-gapping"--isn't enough, says Chris Clements, the vice president of solutions consulting at CISO Global. Clements says he once helped respond to a cyberattack on a water facility that had isolated its sensitive systems from the internet, but because of that, had failed to update the systems with the latest security patches. "So when an employee on the third shift decided to bring in a USB thumb drive with home-loaded games (as well as a network worm) and plugged it into the air-gapped network, the systems were completely defenseless, and every single one was infected within seconds," he says--an attack that required a "multi-week-long cleanup." Thompson says he's seen an "uptick in the number of attacks" on critical infrastructure, which he views as "directly connected to geopolitical tensions and global conflicts." But the most recent attacks have been characterized less by their sophistication than by "the sheer volume of attacks being deployed, albeit by seemingly unskilled attackers," and "the damage inflicted by recent attacks has been relatively minimal." Yet some attacks have come disturbingly close to doing far more harm. In July, federal prosecutors charged a man for using remote software to sabotage critical protections at a California water treatment plant where he previously worked, though the attack was detected and thwarted. In 2020, Iranian hackers tried to raise the levels of chemicals like chlorine in Israel's water supply, and were "close to successful," according to Western intelligence reports. Still, the White House has struggled to rally the water sector behind tougher cybersecurity measures. In March, the Environmental Protection Agency released a memo requiring states to implement new cybersecurity measures at water systems, but the agency withdrew the memo in October after a judge ruled in favor of water industry groups and Republican states that sued the EPA, arguing that the measures would be too costly and that the agency didn't have the authority to issue them. For now, Neuberger hopes that companies critical utilities will see it in their own interest to "lock their digital doors," and that manufacturers like Unitronics will "please, build security into your tech products." These intrusions into water systems were "pretty basic attacks, and some basic cybersecurity practices would've prevented it," she says. "This was defensible." PluggedIn Newsletter logo Sign up for our weekly tech digest. Privacy Policy About the author Wilfred Chan is a Fast Company contributor whose work also appears in The Guardian, The Nation, and New York. More Explore Topics cybersecurity infrastructure politics advertisement advertisement Video advertisement TechThis tiny island encapsulates Denmark's success--and failure--at a clean energy transitionCalifornia banned sales of flavored e-cigarettes in 2022, but stores are still selling them, a new study saysU.S. water utilities were hacked after leaving their default passwords set to '1111,' cybersecurity officials say NewsChampagne makers rode a COVID boom. Higher costs and price hikes are bursting their bubblesJN.1: CDC tracker and map show areas where the new COVID-19 variant is spreadingLast-minute Christmas gift ideas have you losing hope? These retailers do express shipping Co.DesignHow apparel startup Eastside Golf is expanding the appeal of the gameSpectacle architecture is backRapper Tierra Whack remixes the music documentary craze with her twisted film 'Cypher' Work LifeCharity or Scam? How to Ensure Your Donation Makes a Difference5 strategic mindsets of exceptional leadersHow these 6 leaders are using AI-powered onboarding Fast Company & Inc (c) 2023 Mansueto Ventures, LLCDigital Advertising Alliance (DAA) Self-Regulatory Program AdvertiseCareersPrivacy Policy TermsDo Not Sell My DataNotice of Collection PermissionsHelp CenterAbout UsSite Map *