A city in southern Kansas is responding to a cyberattack against its municipal water system, highlighting again the threat bad actors represent to such critical infrastructure in the United States.

Officials with Arkansas City said in a brief statement on LinkedIn that they detected a “cybersecurity issue” at its water treatment facility on September 22, adding that they were taking precautionary measures to secure the plant, including switching to manual operations while they resolve the problem.

In the statement, City Manager Randy Frazer said that “despite the incident, the water supply remains completely safe, and there has been no disruption to service. … Residents can rest assured that their drinking water is safe, and the City is operating under full control during this period.”

There were few details about the nature of the incident or other steps the city is taking to address it, with officials saying only that “enhanced security measures are currently in place to protect the water supply, and no changes to water quality or service are expected for residents.”

The incident in the city, which sits on the border with Arkansas, is the latest in which a municipal water supply was targeted by hackers. The Biden Administration has made protecting critical infrastructure in the country – not only water and wastewater systems but also electrical, chemical, financial services, IT, and food and agriculture, among others – from cyberattacks by nation-state and financially motivated threat groups.

Water Supplies Under Attack

Late last year, the Municipal Water Authority in Aliquippa, Pennsylvania, came under attack, with threat actors using programmable logic controllers (PLCs) developed by Unitronics to take control of a system used to monitor water pressure for nearby towns. There was no threat to drinking water, though operators were forced to take systems offline and shift to manual operations.

Cybersecurity firm Check Point said in a report that CyberAv3ngers, a hacking group linked to Iran’s government with a history of targeting water, electrical, and transportation operations, took responsibility for the Pennsylvania attack. In their operations, CyberAv3ngers looks to exploit security vulnerabilities in internet-facing devices, like PLCs.

During the attack, computer screens in the Aliquippa facility displayed a note from the threat group announcing the hack and a message about Israeli equipment being targeted. The note also said, “Down with Israel.” The intrusion came almost two months after the October 7 attack by Palestinian terrorist group Hamas on Israel.

The U.S. government at the time said it was investigating hacks of other U.S. water facilities.

Federal Government Calls for Stronger Protections

U.S. agencies have been warning about the threats to water facilities and urging municipal governments to harden their protections. CISA in February outlined steps they can take to make their systems more secure, including conducting regular cybersecurity assessments, changing default or weak passwords and deploying multifactor authentication (MFA) – particularly on IT infrastructure like email to make it more difficult for bad actors to access operational technology (OT) systems – using backup systems, and reducing the exposure of systems to the internet.

“OT devices such as controllers and remote terminal units (RTUs) are easy targets for cyberattacks when connected to the internet,” CISA wrote.

A month later, the White House and EPA met virtually with state officials to talk about the need to protect water supplies against cyberattacks. TrueFort, a microsegmentation tools vendor, wrote at the time that “the gravity of this threat is underscored by the acknowledgment that water and wastewater systems serve as foundational pillars to the well-being and functioning of communities. Yet, many of these critical infrastructures are hampered by limited resources and technological capabilities, making them particularly susceptible to cyber incursions.”

Jason Soroko, senior vice president of product at cybersecurity firm Sectigo, commented on the incident at Arkansas City and said municipal water offices need to harden the protections of their networks.

“These security architecture problems are usually associated with IT staff at water treatment facilities who are true experts in maintaining operational uptime and safety but are often less prepared to address complex cybersecurity challenges like securely segmenting a network,” Soroko said. “It’s not just a lack of funding but a fundamental conflict between the motivation to keep systems running smoothly and the need to implement robust security measures, which can sometimes put operations at security risk.”

He noted that “the specialized security skill set required to protect against cyber threats is very different from the expertise present in these facilities, leading to gaps in security posture.”