Kansas Water Plant Pivots to Analog After Cyber Event

Source: Dmitry Kaminsky via Alamy Stock Photo

The water treatment facility for a small city in Kansas experienced a “cybersecurity incident” on the morning of Sept. 22.

Arkansas City — population 12,000, a two-hour drive north of Oklahoma City — sits at the junction of the Walnut and Arkansas Rivers, the latter of which supplies the town’s drinking water. A notice from the city’s Environmental Services Administration revealed that on Sept. 22, its treatment facility experienced a “cybersecurity incident.” Authorities were contacted and precautionary measures taken. Most notably, the facility moved to fully manual operations — a temporary decision made “out of caution,” according to city manager Randy Frazer in the notice.

“Despite the incident, the water supply remains completely safe, and there has been no disruption to service,” Frazer wrote. “Residents can rest assured that their drinking water is safe, and the City is operating under full control during this period.”

The administration added that “Cybersecurity experts and government authorities are working to resolve the situation and return the facility to normal operations. Enhanced security measures are currently in place to protect the water supply, and no changes to water quality or service are expected for residents.”

Dark Reading has reached out to Arkansas City for more information about the incident. In lieu of details, Shawn Waldman, CEO and founder of Secure Cyber, points out that a switch to manual operations could indicate some degree of seriousness.

“In a breach that we investigated last November, we actually never went to manual mode,” he recalls. “We were able to isolate the human-machine interfaces (HMIs) and keep the Russian malware contained, and we let the plant operate as normal. There’s a lot of strain on employees when you put a plant in manual mode. That’s the last case scenario — you don’t want to go into manual mode unless you have to.”

The Problem With State-of-the-Art Systems

Industrial control systems have long struggled to match old, legacy equipment to the demands of modern day cybersecurity.

Less often spoken of is the opposite problem: newer facilities designed with greater connectivity in mind, which introduce attack surfaces that the dinosaur, often analog machines, didn’t have.

The new 5.4 million-gallon-per-day water treatment facility in Arkansas City opened in February 2018. It cost $22 million to build, and sports “advanced technology” estimated to save the city up to 20% on operational and maintenance costs. The exact nature of its cybersecurity posture is unknown.

“Just because a city comes out and says: ‘We just upgraded everything, and it’s all new, and we should be good’ — well, that’s great, but what about cybersecurity?” asks Waldman. "Some cities are not making a proper investment into securing their critical infrastructure.

“My city did that exact thing: I know for a fact that they did not upgrade cybersecurity, but they spent around $14 million or more to upgrade all the infrastructure.”

To ensure that cities don’t leave security out of their budgets, Waldman says, “The EPA and Congress need to step up and get that new EPA standard for cybersecurity passed. They tried to do it before, and then they got sued. And what did we give up? Weeks after that, Iran launched a bunch of attacks on the water systems in the United States. Because, big surprise, Iran reads the US news.”

About the Author

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes “Malicious Life” – an award-winning Top 20 tech podcast on Apple and Spotify – and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts “The Industrial Security Podcast,” the most popular show in its field.