Water and Power Most Vulnerable to Ransomware Attacks

By Emma Nitzsche 

On average, the United States suffers seven ransomware attacks every hour. Last year, the country underwent 65,000 episodes, and the number is only expected to rise.

 

“Ransomware attacks are only going to get worse and more pervasive into people’s lives, and they’re not disappearing anytime soon,” said Allan Liska, an intelligence analyst at Recorded Future. “There’s a line of cybercriminals waiting to conduct these ransomware attacks. Anytime one goes down, you just see another group pop up.”

 

The most vulnerable industries? Water and power.

 

The digital security of U.S. computer networks controlling the machines that distribute water and power is painfully deficient. Much of the infrastructure in the plants are outdated and too old for some cybersecurity tools. It doesn’t help that cybersecurity has been a low priority for operators and regulators.

 

In 2018, the city of Los Angles paid hackers to break into their water and power systems. The goal was to identify weak areas and address the overall. The paid hackers found ten vulnerabilities and 23 issues that researchers had discovered as early as 2008. Today, only a few of the 33 security gaps have been fixed since the report’s submission.

 

Dragos, a leading cybersecurity company, estimated that 90 percent of its customers had “extremely limited to no visibility” inside their industrial control systems. Their research showed that a hacker has free rein to collect sensitive data once inside a sensitive software, investigate system configurations, and select the right time to wage an attack.

 

In February, a hacker initiated an attack on an Oldsmar Florida water treatment facility. The hacker modified the amount of sodium hydroxide to a hazardous level in the water supply. Thankfully, an employee saw the breach take place and prevented any additional damage. Researchers discovered that the attack could have been prevented with more securely configured remote engineering access. 

 

In March, the Post Rock Water District in Ellsworth, Kansas, experienced a similar water breach. A former employee had remote access to a computer that remotely shut down the cleaning and disinfecting procedures that make water drinkable. The U.S. Environmental Protection Agency arrested the ex-employee and released a statement that assured the public that it is “committed to upholding the laws designed to protect drinking water systems from harm or threat of harm.”

 

But the national industries are behind the curve. Unfortunately, the attacks are only increasing, and the public has just recently recognized their severity. 

 

“This is just the beginning,” says Holden Triplett, the founder of the cybersecurity consulting firm Trenchcoat Advisors. “And it’s going to get a lot worse.”