Water warning: America’s systems are ‘especially vulnerable’ to cyberattack, Microsoft says

Microsoft is warning that America’s water systems are easy targets for cyberattackers, putting safe drinking at the mercy of foreign hackers and ransomware gangs.

The tech giant’s warning came after extensive surveys by water and wastewater sector experts and U.S. federal officials to determine the nature of the danger.

The water and wastewater infrastructure in the U.S. includes more than 100,000 public and private utilities of various sizes with differing cybersecurity needs, according to Microsoft’s Kaja Ciglic.

“There are vast disparities when it comes to cyber readiness, especially for smaller utilities that have fewer resources. This leaves the sector especially vulnerable to cyberattacks,” Ms. Ciglic wrote on the company’s blog. “Regardless of the size of the utility, cyberattacks that disrupt water services can have a damaging and cascading impact on things like access to safe and reliable drinking water and sewage management, as well as on other critical infrastructure sectors.”

Cyberattacks disrupting water systems can mar the uninterrupted access to water for hospitals and other facilities, according to Ms. Ciglic.

Microsoft assessed the cybersecurity of water systems in partnership with the Cyberspace Solarium Commission 2.0. Beginning in 2022, the software company and nonprofit huddled with experts from the FBI, National Security Agency, Environmental Protection Agency, other federal agencies, Congress and the private sector to study the threat and produced a report published Wednesday.

The FBI, NSA and an unnamed large water utility alongside other experts met and said the water sector suffers from a lack of regular maintenance and updates to computer systems.

Microsoft and the nonprofit’s report said the number of cyberattacks on the water sector may be larger than known, given the water sector’s inability to detect hacks.

“The consensus from the speakers and participants in the discussion was that, today, opportunistic ransomware ’gangs’ are the most prominent threat actors facing the water sector,” the report said. “Strengthening cyber hygiene practices, implementing network segmentation and adopting multifactor authentication are essential steps to begin to mitigate risks posed by these and other threat actors.”

Ransomware gangs encrypt computer systems to hold networks and data hostage until victims pay up, hammering American infrastructure in recent years. The cybercriminals often reside outside the U.S. in jurisdictions that are difficult for American law enforcement to reach.

Foreign governments are targeting American water systems too. This month, U.S. and Israeli cyber officials published an advisory warning that Iranian government-affiliated cyberattackers were targeting and hacking America’s water systems. Islamic Revolutionary Guard Corps-affiliated hackers compromised the security of programmable logic controllers used throughout the water sector, according to the advisory from American cyber officials.