Arkansas Water Plant Ransomware Cyberattack: City Calls in FBI

Why Trust Techopedia
KEY TAKEAWAYS

  • Arkansas City’s water treatment facility was breached on September 22, prompting an FBI and Homeland Security investigation.
  • The facility switched to manual operations as a precaution, and the water supply remains safe without disruption.
  • Cyberattacks on water systems in the U.S., like those in Indiana and Pennsylvania, highlight vulnerabilities in critical infrastructure.
  • Experts suggest nation-state actors may be involved, though the exact motives behind the attack remain unclear.
  • Calls for stricter regulations and enhanced cybersecurity measures for water facilities are growing, as threats to this essential sector increase.

A new cybersecurity attack on the water of the city of Arkansas has triggered a new FBI and Homeland Security investigation.

The City of Arkansas City revealed that its water treatment facility had been breached on September 22. The city notified relevant authorities and moved the water plant to manual control to ensure safe operations.

Tipton, Indiana, the Texas cities of Hale Center, Muleshoe, Lockney, and Abernathy, and Aliquippa, Pennsylvania, are some of the cities that saw cyberattacks against water providers in the last year.

U.S. intelligence and law enforcement agencies, including the NSA, Homeland Security, CISA, and the FBI, have warned that critical infrastructure, including water and sanitation, is a hot cyber target, and it is a topic we have covered extensively.

We explore the latest attack with experts.

Arkansas City Takes Precautionary Steps to Protect Water Supply

City Manager Randy Frazer assured residents that the water supply remains completely safe.

“Despite the incident, the water supply remains completely safe, and there has been no disruption to service. Out of caution, the Water Treatment Facility has switched to manual operations while the situation is being resolved.”

Local news media KWCH.com reported that Arkansas water workers saw a message popup on the screen after the water systems malfunctioned. The message, supposed to be a ransomware note, had an email address to contact.

It is unclear whether the city of Arkansas will pay the ransomware. The FBI and Homeland Security always advise organizations not to give in to demands, as there is no guarantee of recovery or future safety.

Was the Attack on Arkansas’ Water Nation-State Sabotage?

While no changes to water supply or quality of water are expected, the situation has rung alarms at the federal level.

Itay Glick, VP of Products at OPSWAT, a global critical infrastructure cybersecurity solutions provider, told Techopedia that the incident at Arkansas highlights the evolving cybersecurity challenges that critical infrastructure faces, particularly in the water and wastewater sectors.

“Fortunately, there was no disruption to the water supply, and sensitive information remained secure. However, similar attacks could easily result in more severe consequences.”

Water system cyberattacks in the U.S. usually do not attract much attention. However, the April Indiana water attack, and the November Aliquippa, Pennsylvania, did stand out for being executed by Russian and Iranian supported threat actors.

Arkansas city or authorities have not released any official information about the recent attack, but given that the FBI and Homeland Security are on the ground checking things out, there could be a strong possibility that a nation-state is behind the Arkansas incidents as well.

Glick from OPSWAT spoke about why the FBI was in Arkansas and what they could be investigating.

“I believe the FBI would be looking for attribution — who is behind the attack, and for IOCs (indicators of compromise) that they can distribute to other organizations for better protection, as well as for dormant artifacts that have been planted to regain access.”

Glick added that without specific details from the investigation into this incident, it’s difficult to determine whether the Arkansas City water treatment attack was purely financially driven or if there could be a more strategic intent, such as sabotage.

“However, given the critical nature of water utilities and the increasing involvement of nation-state actors in cyberattacks, it’s important for organizations to remain vigilant and consider all possible motivations.”

Ransomware Notes Don’t Come Out of Nowhere

Shawn Waldman: CEO and Founder of Secure Cybera cybersecurity consulting firm that manages detection and response services for critical infrastructures, told Techopedia that the reason federal law enforcement is in Arkansas City is because it is a smaller city that could likely use the help of federal investigators. “These are also federal offenses, warranting an investigation by the FBI,” Waldman added.

“They (FBI and Homeland) are likely focusing on the water control systems to ensure the ransomware incident didn’t spread into the actual water system network.”

 

“They are also concentrating on identifying the threat actor and likely opening communication channels with them if necessary.”

Exposed front and back-end access to systems and a lack of network segmentation to protect operational technology (OT) environments are part of the problem.

“This lack of separation (segmentation) can allow an attack originating within the city’s network to infiltrate critical infrastructure, such as a water treatment plant,” Waldman said.

Inadequate protection of Human Machine Interface (HMI) systems is also a major concern. HMIs allow engineers to control water flow, open and close valves, and manage chemical outputs, making them one of the most sensitive parts of the facility. “A breach here could lead to dangerous changes in the water supply,” Waldman said.

The Cost of Water Security and Regulations Gaps

Both recent nation-state 2024 cyberattacks against the U.S. (in Tipton, Indiana, and Alequipa, Pennsylvania) compromised OT and led to a manual override. In contrast, other historical water attacks usually target partners, businesses, and user-sensitive data.

Threat actors that target OT — the machines that make a water treatment plant work and are often automated — are specifically looking to cause as much damage as possible and create an environment of tension by spreading fear among the population. After all, water is essential to every household.

Waldman said that going back to air-gapped systems that work disconnected from the internet is not possible due to the severe lack of qualified consultants and companies that can support control systems.

“I think Congress needs to step up and push for more stringent requirements for operators,” Waldman said. Waldman said that an increase in water rate prices to offset the costs of cybersecurity should not be discarded.

“We can’t just choose to do nothing because of the cost and leave these systems vulnerable to compromise. That would be irresponsible.”

Glick from OPSWAT also called for more regulations and the adoption of preventive measures such as security gateways, intrusion detection systems, and regular security audits to reduce risks.

“Having a well-defined incident response plan is critical,” Glick said. Additionally, employee training is equally important, as human error remains a common entry point for threats.

The Bottom Line

Unfortunately, cyberattacks against water facilities are just getting started. Threat groups are increasingly targeting the sector and learning from each attack. The escalation comes across clearly as plants are forced to deliver water to their citizens in manual mode.

If the warnings of the wave of cyberattacks against the U.S. continue to fall on deaf ears, the damage and disruption are likely to increase and reach an unsustainable and extremely dangerous point.

Water plants across the country need to reimagine their security with or without federal assistance and achieve the standards of modern defense. A critical sector like water cannot be as vulnerable as it is today.

Related Terms

Related Article