America’s drinking water is facing attack, with links back to China, Russia and Iran
Houston Chronicle/hearst Newspapers Via Getty Images | Hearst Newspapers | Getty Images
The City of Wichita recently had an experience that’s become all too common — its water system was hacked. The cyberattack, which targeted water metering, billing and payment processing, followed the targeting of water utilities across the U.S. in recent years.
In going after America’s water, hackers aren’t doing anything special. Despite rising fears of AI use in cyber threats, the go-to criminal way into systems remains preying on human foibles, be it via phishing, social engineering, or a system still running on a default password — “old school” cyberattacks, according to Ryan Witt, vice president of cybersecurity firm Proofpoint.
The rising cybercrime wave targeting key infrastructure led the Environmental Protection Agency to issue an enforcement alert warning that 70% of water systems it inspected do not fully comply with requirements in the Safe Drinking Water Act. Without quantifying an exact number, the EPA said some have “alarming cybersecurity vulnerabilities” — default passwords that have not been updated, vulnerable single login setups, and former employees who retained systems access.
While the methods may be simple, an attack last year by an Iranian-backed activist group against 12 water utilities in the U.S. reinforced how purposeful “an attacker’s mindset” can be, according to Witt. The targeted utilities all contained equipment that was Israeli-made.
FBI, NSA, CISA all express concern
In February, the FBI warned Congress that Chinese hackers have burrowed deep into the United States’ cyber infrastructure in an attempt to cause damage, targeting water treatment plans, the electrical grid, transportation systems and other critical infrastructure. A Russian-linked hack in January of a water filtration plant in a small Texas town, Muleshoe — located near a U.S. Air Force base — caused a water tank to overflow. “Water is among the least mature in terms of security,” Adam Isles, head of cybersecurity practice for Chertoff Group, recently told CNBC.
Psychological impact on the population is also a strategic aim, seen not only in targeting of water assets but the Colonial Pipeline hack that made national headlines in 2021, and in the words of the federal Cybersecurity and Infrastructure Security Agency, featured “snaking lines of cars at gas stations across the eastern seaboard and panicked Americans filling bags with fuel, fearful of not being able to get to work or get their kids to school.”
Attacks on U.S. water utilities’ IT systems can have a similar psychological impact, and even if the attacks don’t directly interfere with the operations of the utility, still lessen public trust in water supply. No hack to date has shut off the water to a population, but that’s the bigger worry, said Stuart Madnick, an MIT professor of engineering systems and co-founder of Cybersecurity at MIT Sloan.
Meddling with a water supply through attacks targeting IT (informational technology), like Wichita’s system, is minor in comparison to a successful attack on the OT (operating technology) that controls water plants. That is a massive risk, Madnick said, and the threat of it happening is not zero.
“We have demonstrated in our lab how operations, such as a water plant, could be shut down not just for hours or days, but for weeks. It is definitely technically possible,” he said.
A recent letter sent by EPA Administrator Michael Regan and National Security Advisor Jake Sullivan to the nations’ governors detailed the urgency of the threat. But Madnick is wary of the government’s ability to act quickly or robustly enough to prevent such an occurrence. Budgets, outdated infrastructure, and reluctance to move on an issue that may seem both vital and daunting suggest that the fixes may indeed not come quickly enough. “It has not happened yet, and serious action to prevent ‘likely’ will not happen, until after it has happened,” he said.
Outdated water utility technology
Like any modern system, water utilities rely on technology for monitoring, for operations, and for customer communication. The technology creates vulnerabilities — for providers and users — so the need for enhanced security measures is acute. “The community risk from cyberattacks includes an attacker gaining control of the operations of a system to damage infrastructure, disrupt the availability or flow of water, or altering the chemical levels, which could allow untreated wastewater to be discharged into a waterway or contaminate drinking water provided to a community,” said an EPA spokesman.
Witt says there are some initial steps to take in improving the cyber hygiene of dated systems. “Improving password strength, reducing exposure to public-facing internet, and the need for cybersecurity awareness training,” would go a long way to shoring up defenses, he said. Another potential fix is the deployment of what are called air-gapped systems that separate supervisory and control systems from other networks. Since the easiest way into these systems is to obtain credentials and then exploit the system, “A systems admin should not be able to access office systems such as email and be able to operate a control panel of a water system from the same laptop,” Witt said.
For the most part, attacks that have occurred have been preventable, according to the EPA. “Systems were victimized by destructive and costly cyberattacks because they failed to adopt basic cyber resiliency practices,” the EPA spokesman said. “All drinking water and wastewater systems are at risk — large and small, urban and rural,” he said.
While it has not been a tool needed to date in these water utility attacks, AI is coming alongside the concerted cyber efforts of geopolitical rivals. “Rapid advances in artificial intelligence are giving cyberthreat actors more sophisticated tactics, techniques, and procedures to penetrate operational technology that controls critical infrastructure facilities,” the EPA spokesman said. “These attacks have been linked to a variety of types of malicious actors, including hackers working on behalf of or in support of other nations who could use disruptions to U.S. critical infrastructure to their strategic advantage.”
Amazon said Tuesday it received regulatory approval to begin flying a smaller, quieter version of its delivery drone, the latest step in its long-running efforts to get the futuristic program off the ground.
The company unveiled the new drone, called the MK30, in November 2022. It said then that the MK30, in addition to the other changes, would fly through light rain and have twice the range of earlier models.
Amazon said the Federal Aviation Administration’s approval includes permission to fly the MK30 over longer distances and beyond the visual line of sight of pilots. The agency granted a similar waiver for Amazon’s Prime Air program in May, though that was limited to flights in College Station, Texas, one of the cities where it has been conducting tests.
Alongside the FAA approval, Matt McCardle, head of regulatory affairs for Prime Air, said the company is starting to make drone deliveries Tuesday near Phoenix, Arizona. In April, Amazon said it planned to spin up drone operations in Tolleson, a city west of Phoenix, after it shut down an earlier test site in Lockeford, California. The company will dispatch the drones near one of its warehouses in Tolleson as it looks to integrate Prime Air more closely into its existing logistics network and further speed up deliveries.
An FAA spokesperson said the agency granted Amazon permission to conduct beyond visual line of sight deliveries in Tolleson on Oct. 31.
Amazon founder Jeff Bezos first unveiled plans for the ambitious service more than a decade ago, remarking at the time that the program could be up and running within five years. Despite Amazon investing billions of dollars into the program, progress has been slow. Prime Air encountered regulatory hurdles, missed deadlines and had layoffs last year, coinciding with widespread cost-cutting efforts by CEO Andy Jassy. The program also lost some key executives, including its primary liaison with the FAA and its founding leader. Amazon hired former Boeing executive David Carbon to run the operation.
It’s also encountered pushback from some residents in the cities where it’s trialing drone deliveries. Residents in College Station complained about the noise levels enough that it prompted the city’s mayor to mention the concerns in a letter to the FAA, CNBC previously reported. In response, Amazon executives told residents the company would identify a new drone delivery launch site by October 2025.
Amazon isn’t the only company trying to crack delivery by drone. It’s competing with Wing, owned by Google parent Alphabet, UPS, Walmart and a host of startups including Zipline and Matternet.
WATCH: How Amazon’s drone delivery program stacks up to competitors
Palantir Technologies CEO Alex Karp appears on a Bloomberg television interview during the FoundryCon event in Palo Alto, California, on March 7, 2024.
David Paul Morris | Bloomberg | Getty Images
Palantir shares jumped 23% on Tuesday and headed for a record close after the data analytics software maker reported robust third-quarter results and issued uplifting revenue guidance.
The stock reached a high of $51.19, above the prior record of $45.14 reached last week. If the gain holds, it will mark the stock’s biggest jump since Feb. 6, when shares popped 30%.
Revenue climbed 30% to $726 million from a year earlier, topping the $701 million average analyst estimate, according to LSEG. Adjusted earnings per share of 10 cents beat the 9-cent average estimate.
Analysts at Deutsche Bank said in a report that “the beat was driven by better-than-anticipated US Government performance,” boosted by demand for artificial intelligence tools.
“Palantir is among a handful of infrastructure software companies that have started to meaningfully monetize generative AI, where its competitive positioning benefits from longtime investment and deep expertise in complex data integration, and particularly its reputation for data security built into its ontology,” the analysts wrote.
Net income of $143.5 million, or 6 cents per share, was up from $71.5 million, or 3 cents per share, in the same quarter a year ago. The company called for fourth-quarter revenue of $767 million to $771 million. Analysts surveyed by LSEG had been looking for $741.4 million.
Palantir is targeting more than $687 million in U.S. commercial revenue for the year, implying about 24% of the total.
Bank of America bumped its price target from $50 to $55 and maintained its buy rating.
“We continue to view the adoption of PLTR’s AI-enabled products and reach in its early days, as more companies realize the time, resource, and cost savings possible,” Bank of America analysts wrote in a note to investors. “In our view, Palantir’s moat as the differentiated agnostic AI-enabler is only growing with each new use-case carrying compounding unit economics.”
— CNBC’s Jordan Novet and Michael Bloom contributed to this report.
-
Sports2 years ago‘Storybook stuff’: Inside the night Bryce Harper sent the Phillies to the World Series
-
Sports7 months agoStory injured on diving stop, exits Red Sox game
-
Sports2 years agoMLB Rank 2023: Ranking baseball’s top 100 players
-
Sports1 year agoGame 1 of WS least-watched in recorded history
-
Environment1 year agoJapan and South Korea have a lot at stake in a free and open South China Sea
-
Sports3 years ago
Team Europe easily wins 4th straight Laver Cup
-
Environment2 years agoGame-changing Lectric XPedition launched as affordable electric cargo bike
-
Business2 years agoBank of England’s extraordinary response to government policy is almost unthinkable | Ed Conway