Arkansas City, Kansas, has had to switch its water treatment facility to manual operations over the weekend due to a cyberattack that was detected during late September 2024. The area has a population of 11,974.
Itay Glick VP of Products at OPSWAT, a global leader in critical infrastructure cybersecurity solutions, explains to Digital Journal why this cyberattack raises wider alarm bells.
This Arkansas City water treatment cyberattack comes amid growing concerns over the vulnerability of U.S. water utilities to cyberattacks.
Before OPSWAT, Glick served as AVP of network and cloud security at Allot, and before that, founded his own company and played a key role in managing the development of equipment for the lawful interception market on behalf of Verint Systems.
Glick explains: “The recent cyber incident at Arkansas City’s water treatment facility highlights the evolving cybersecurity challenges facing critical infrastructure, particularly in the water and wastewater sectors.”
Further with the incident, Glick says: “Fortunately, there was no disruption to the water supply, and sensitive information remained secure. However, similar attacks could easily result in more severe consequences. This event reinforces the need for heightened vigilance and continuous improvements in cybersecurity across this sector.”
The resort to manual processes has helped to minimise the damage, as Glick observes: “Arkansas City’s quick transition to manual operations was key in maintaining uninterrupted service. While manual processes are invaluable in emergencies, they are not intended as long-term solutions. Automated systems are designed to ensure smooth operations, and relying on manual backups over time can lead to inefficiencies or other unforeseen security issues. This emphasizes the importance of strong cybersecurity defences that reduce the need for such measures in the first place.”
Another factor is that lack of a regulated pathway. Here Glick cautions: “Given the unique and largely unregulated nature of cybersecurity in the water industry, it is essential for utilities to proactively adopt best practices. These include securing communication channels like email and USB devices, employing network segmentation to prevent threats from spreading into operational technology (OT) environments, and implementing strong endpoint protection.”
There are also wider lessons for industry: “As the city takes steps to ensure their systems are free of malware, it’s a great opportunity for all utilities to evaluate solutions that can scan transient devices and maintain secure air-gaps between critical networks, helping to prevent unauthorized access.”
Glick ends his analysis by setting out the case for action: “This incident is part of a broader trend of attacks targeting water facilities as noted by the EPA earlier this year. While the attackers were unable to manipulate this system, it serves as a reminder for utilities to take proactive steps before more severe consequences arise.”