Officials from the FBI and Department of Homeland Security are reportedly investigating a cyberattack on the water treatment facility in the city of Arkansas City, Kansas, roughly an hour drive south of Wichita.
On Monday, City Manager Randy Frazer, told the local newspaper the CourierTraveler that the cyberattack took out the water treatment facility’s control systems and involved a ransom request. With the control systems down, Frazer said the attackers could not manipulate the system and no sensitive city or customer information was compromised.
In a post on the city’s website, Frazer added that the cyberattack took place Sept. 22. The city manager said authorities were promptly notified and out of caution, the water treatment facility switched to manual operations while the situation was being resolved.
“Residents can rest assured that their drinking water is safe, and the city is operating under full control during this period,” Frazer said.
Arkansas City resides in Cowley County, Kansas, and is located at the confluence of the Arkansas and Walnut rivers in the southwestern portion of the county.
According to its Wikipedia entry, Arkansas City has a population of 11,974 and is home to meat processor Creekstone Farms Premium Beef LLC, which employs more than 1,100 workers. Several smaller manufacturing companies have expanded operations in the area and the county has also attracted startups, mainly because of a workforce drawn from two local colleges.
Water systems are critical infrastructure
The recent cyberattack on the Arkansas City water treatment facility underscores the growing threat posed to critical infrastructure by ransomware and other cyberattacks, said Sarah Jones, cyber threat intelligence research analyst at Critical Start. Jones said while the specific details of this particular attack are still emerging, it’s clear that water treatment facilities, along with other OT-dependent industries, remain prime targets for cybercriminals.
“The history of cyberattacks on water treatment facilities is marked by a mix of deliberate attacks and false alarms, highlighting the need for vigilance and preparedness,” said Jones. “The Arkansas City incident serves as a stark reminder of the potential consequences of such attacks, which can range from service disruptions to public health risks.”
While these incidents raise concerns, it appears that officials are less apt to jump to conclusions and spread panic about a local water supply, especially after the industry learned last year that the 2021 attack on the water supply in Oldsmar, Florida, turned out not to be the work of an outside attacker.
“It's still too early to tell who's behind this, as the attack only happened on Sunday,” said Morgan Wright, chief security advisor at SentinelOne. “CISA just released an advisory on Iran-based actors deploying ransomware on U.S. targets. There has been a confluence of activity that doesn't draw a bright line anymore between state actors and transnational criminal groups. State actors have been assisting in developing and obtaining network access, furthering the goals of the criminal actors.”
Wright, an SC Media columnist, added that a standard vector has been attackers going after improperly configured remote access that opens internet connectivity. Modernizing the IT environment comes at a cost, but Wright said it's symbolic of the “save now” mindset that ends with organizations paying far more later when a breach happens — an outcome we've seen far too often.
“Some fundamentals that could, and should, be done right now include updating software and applying patches,” said Wright. “Many intrusions take advantage of unpatched vulnerabilities that have been known for weeks or months. And always, assume breach.”
Itay Glick, vice president of products at OPSWAT, said Arkansas City’s quick transition to manual operations was important in its ability to maintain uninterrupted service. While manual processes are invaluable in emergencies, they are not intended as long-term solutions, said Glick.
“Automated systems are designed to ensure smooth operations, and relying on manual backups over time can lead to inefficiencies or other unforeseen security issues,” said Glick. “Given the unique and largely unregulated nature of cybersecurity in the water industry, it’s essential for utilities to proactively adopt best practices. These include securing communication channels like email and USB devices, employing network segmentation to prevent threats from spreading into operational technology environments, and implementing strong endpoint protection.”
Thomas Siu, chief information security officer at Inversion6, said on the positive side, it appears that the leadership of Arkansas City had an incident response plan in place and a capability to rapidly switch to manual operation of the plant. Siu said this demonstrates their resilience and responsiveness to avoid any extended outage.
“On the pessimistic side, city and municipal governments are challenging operating environments to implement security controls, where many systems were setup to run without regard to today's common cyber threats,” said Siu. “Also, if funding to hire qualified and competent leadership and staff had not been a priority earlier, this case just improved the argument for sufficient support. City and other municipalities should be observing this case and tuning up their response and decision-making processes.”
An attempt to reach the FBI for comment was unsuccessful.