Things I have no choice but to write

Category: Breaches

Largest US Water Utility Hacked: American Water

(Full List of Water System Cybersecurity Stories | Cybersecurity and Valley Water)

It has happened again. Another water utility has been hacked. A number of sources (CNBC, CBS, CNN) have reported that the nation’s largest water utility, American Water has been hacked. American Water manages more than 500 water and wastewater systems in about 1,700 communities across at least 14 states, including California.

American Water has announced it is back online. Further, American Water says it has no indication that its water and wastewater facilities were impacted by this incident. It also says that water quality was not affected.

The attack was first reported in an 8K filing with the SEC on October 3rd. American Water appeared to recover by October 10th, according to a statement released by the company.

The attack appeared to cause network outages, rendering both American Water’s billing portal, MyWater, and its internal phone network inoperative, according to cyberSecurity publication Dark Reading.

This is by no means the first attack on a water system this year. As has been written about on this site, there have been attacks in Texas, Hawaii, Kansas, and Pennsylvania. Moreover, there have been new cybersecurity guidelines issued for water systems by DHS, and more security called for by the EPA.

Valley Water needs a Director who understands the nature of the cybersecurity threat. Bill Roth is that candidate who brings years of experience in both technology and cybersecurity, and can ask the right questions to ensure our water systems remain safe.

For more information, check out Fast Facts about Bill Roth.

The Threat is Real: Another Water Hack

The threat is real. Small Texas towns have had their water system hacked by a Russian Hacking group. You can find a cluster of news stories here.

In short, a series of cyberattacks targeted small towns in rural Texas, with one incident causing the water system to overflow. The attacks, attributed to a Russian hacktivist group called CyberArmyofRussia_Reborn, aimed at public utilities, raising concerns about the vulnerability of U.S. water systems. I have written about this previously related to hacks in Pennsylvania, and Hawaii.

In Hale Center and Muleshoe, attempts to breach the water systems were thwarted by manual intervention after the cities detected suspicious activity. Similar attacks in Lockney were also prevented. While the incidents didn’t pose immediate dangers, they underscored the need for improved cybersecurity measures in critical infrastructure. The FBI and Department of Homeland Security were notified but declined to comment on ongoing investigations. Both the FBI and DHS issued a warning about potential attacks in March.

Previous attacks on U.S. water facilities, including those attributed to Iranian state groups, prompted calls for stronger cybersecurity measures from government officials. The Environmental Protection Agency urged governors to assess cybersecurity risks and plan for potential cyberattacks on water supplies.

Valley Water needs to have a comprehensive cybersecurity policy. Moreover, it needs someone on the board of directors who understands the issues and the seriousness of the threat. Bill Roth is the candidate the board needs.

CNN: Officials Warn of Cyberattacks on Water

(Updated March 24)

CNN reported on March 19th about Biden administration officials highlighting concerns over cyberattacks targeting our nation’s critical water infrastructure. As I’ve discussed previously, reflecting on incidents in Hawaii and Pennsylvania, the threat to our water systems is both real and escalating.

The White House and EPA are now urging governors to bolster cybersecurity measures for water and wastewater systems. This comes amid revelations that many facilities lack fundamental protections against cyber threats, with recent breaches by state-sponsored hackers underscoring the urgency.

In response, a task force has been initiated to pinpoint and address vulnerabilities. However, despite these efforts, challenges remain, particularly with the implementation of regulatory protections.

The Santa Clara Valley Water District deserves a board member who not only recognizes the gravity of these cyber threats but is also prepared to take decisive action. I am confident in my ability to contribute effectively to our Board of Directors, ensuring our community’s water security against these evolving cyber risks. Do you have cybersecurity questions, comments or concerns? Contact me here.

Update 1: March 24th

Newsweek also has a story on this announcement as well. Newsweek covers Iranian cyberattacks in more detail then CNN, and does not mention China. It also mentions the Aliquippa cyberattack, but makes no mention of the recent attach in Hawaii.

Breach and Ransomware Strategy at Valley Water

Today’s article on Reuters about the breach at UnitedHealth got me thinking. When you look at Valley Water’s website, the words “breach” (related to cyber-security) and “ransomware” do not occur when you search for them. Valley Water needs to do better to improve communication. We need to know how they’re going to alert us to breaches of our data (because we are citizens of the county and it is our data) and what protections they have in place against ransomware attacks. Proactive communication about cybersecurity preparedness and incident response plans can serve as a critical step in safeguarding the community’s data against sophisticated cyber threats. Blackcat is one of many groups out there engaging in this activity. 

There are plenty of good solutions on the market, we need to be assured that they’re ready.

As a policy matter, I would like to see a public statement, on a web page which gives the rough outlines of how they are protecting our critical infrastructure. Just enough to give confidence to the rate-payers, but not enough for the hackers to get any ideas.

Agree or disagree? Let me know. Feel free to add your comments or thoughts below.

Water District Hacked in Hawaii

A Washington Post article pointed out that there is more nation-state interference in critical infrastructure in the United States. I have written on this topic before. Another Water District has been hacked in Hawaii by the group labeled Volt Typhoon. Although reports suggest that no damage occurred, this does not eliminate the threat.

The Threat is Real

The Post estimates that several facilities have been infiltrated over the last 2 years. Many of the entities attacked fall into the category of critical infrastructure, like water systems, power grids, and power generation facilities. Many of the systems are targets of opportunity. That is, critical infrastructure facilities whose cybersecurity is lax, or where they have vulnerabilities they are not aware of. For example, the breach an Aliquippa Power happened because of an unknown vulnerability in both billing systems as well as the computerized control of their facilities known as SCADA systems.

image of water system hacker

While the Aliquippa and Hawaii hacks appear to be related to foreign actors, many serious hacks are perpetrated by current or former insiders, like the hack of the water treatment facilities in Discovery Bay California, in 2021. Water Districts need to have rigorous security protocols for both external and internal threats.

Advanced Persistent Threats

Many of the attacks from foreign actors as what’s know as advanced persistent threats.

An Advanced Persistent Threat (APT) is a sophisticated and targeted cyber attack in which an unauthorized user or group gains unauthorized access to a network and remains undetected for an extended period. The “advanced” aspect refers to the use of sophisticated techniques, tools, and strategies to breach security defenses, while the “persistent” aspect indicates the intruder’s ability to maintain a long-term presence within the compromised system.

APTs are typically conducted by well-funded and highly skilled threat actors, often with specific objectives such as stealing sensitive information, conducting espionage, or disrupting critical operations. These attacks often involve a combination of social engineering, zero-day exploits, malware, and other advanced tactics to compromise and maintain access to a target network.

Unlike more opportunistic and short-term cyber attacks, APTs are characterized by their stealth, patience, and determination. The attackers often adapt their strategies to evade detection, regularly updating their tools and techniques to exploit vulnerabilities and avoid security measures. Defending against APTs requires a multi-layered and proactive approach, including robust cybersecurity measures, continuous monitoring, and incident response capabilities.

What does this really mean? Foreign actors who infiltrate a water system are content to sit and wait or do reconnaissance. That is, until the time comes when they receive the signal to move from reconnaissance to attack.

This is reminiscent of the old saying in Cybersecurity, “There are two types of people: Those who have been hacked, and those who do not know they have been hacked.”

CyberSecurity Knowledge is Desperately Needed

As I have mentioned in previous articles, the threat to life and property in Santa Clara County is significant and should not be underestimated. The Santa Clara Valley Water District needs a Director who understands the threat to our watersheds and water systems and can give it the oversight it deserves. Bill Roth is the candidate to do that.

Hackers Hijack Control System at Water Utility 

There is an old saying in the cybersecurity field: There are two types of people. Those who have been hacked, and those who do not know they have been hacked. While someone hacking into your home network may not worry you, if a water district’s operational systems are hacked, a whole lot of chaos could ensue.

Some may say that I am overreacting, but consider this news item about a water system in Pennsylvania. The Municipal Water Authority of Aliquippa, Pennsylvania confirmed that foreign hackers had taken control of a booster station over the weekend. The hack was perpetrated by an Iran-influenced group called Cyber Av3ngers.

From looking at the Aliquippa Water Authority’s website, it also appears that they have been the target of a spoofing campaign, which sought to direct the Water Authority’s customers to a fake billing site, that was not associated with it.

This illustrates the two types of attacks that water districts need to be aware of. The first type of attack is on the systems that control SCADA systems. These systems control the “physical” plant for water districts. This means all of the dams, reservoirs, water treatment plans, and water purification centers. Hostile control of these systems could lead to a physically disastrous event. The second type of attack is on the financial systems a water district controls, like its accounting systems, or its payments systems. Hostile control of these systems could lead to a financially disastrous event.

Why does this matter to Sant Clara Valley Water District? Lets make this real. The district has SCADA systems for its collection of dams, reservoirs, water treatment plans, and water purification centers. Imagine if a hostile foreign actor got into the Valley Water network and was able to open the floodgates of Almaden Dam, located in New Almaden, south of San Jose. This map shows a model of what the worst flooding would look like. Thousands of homes and millions of dollars would be lost.

The Santa Clara Valley Water District need board-level leaders who are aware of the breadth and complexity of cybersecurity issues, and can have the foresight to deploy resources to stop the threats. Bill Roth is the leader who will do this.

For more information, please subscribe to our Newsletter, here:

© 2025 Bill Roth

Theme by Anders NorenUp ↑