Cybersecurity Incident Forces Manual Operation at Kansas Water Treatment Facility
On the morning of September 22, a small water treatment facility in Arkansas City, Kansas, was hit by what officials have described as a “cybersecurity incident.” The town of around 12,000 people, located two hours north of Oklahoma City at the convergence of the Walnut and Arkansas Rivers, relies on the Arkansas River for its drinking water. The Environmental Services Administration, responsible for the city’s water systems, released a statement shortly after the incident confirming the breach and outlining the steps being taken to protect the town’s water supply.
In response to the breach, the treatment plant transitioned to manual operations as a precautionary measure. According to city manager Randy Frazer, the decision to go manual was made “out of an abundance of caution,” and officials have been closely monitoring the situation ever since. “Despite the incident, the water supply remains completely safe, and there has been no disruption to service,” Frazer reassured residents in a written notice. “Residents can rest assured that their drinking water is safe, and the City is operating under full control during this period.”
Although no further technical details have been disclosed about the nature of the cyberattack, the administration noted that cybersecurity experts and government authorities have been called in to assist with the investigation and resolution of the incident. Enhanced security measures have already been implemented to protect the facility from any further attacks, and no changes to the water’s quality or availability are expected for residents.
The Transition to Manual Operations: A Serious Step
The decision to shift the plant to manual mode is notable, as it indicates the severity of the situation. Manual operation of industrial control systems (ICS) is often considered a last-resort measure, typically reserved for moments when there is a high risk of further compromise or damage to automated systems. According to Shawn Waldman, CEO and founder of Secure Cyber, the move to manual mode in this case might point to significant concerns on the part of the facility’s operators.
“In an incident we investigated last November, we never had to go to manual operations,” Waldman recalled. “We were able to isolate the human-machine interfaces (HMIs) and keep the Russian malware contained, allowing the plant to continue operating as normal. There’s a lot of strain on employees when you put a plant in manual mode. That’s the last case scenario—you don’t want to go into manual mode unless you have to.”
Waldman’s insight highlights the operational burden that manual mode can impose on workers. Water treatment plants, like many industrial facilities, rely on automated systems to monitor and manage various processes, such as chemical balancing, filtration, and pressure control. When these systems are forced offline, plant operators must take over manually, introducing the risk of human error and requiring round-the-clock attention to maintain stability. This approach is unsustainable for long periods and can lead to increased stress among the staff.
The Growing Threat of Cyberattacks on Critical Infrastructure
This incident is the latest in a string of cybersecurity breaches targeting critical infrastructure across the United States. From energy grids to healthcare systems, the threat of cyberattacks on essential services has been growing steadily over the past decade. In the case of water treatment plants, these threats are particularly alarming given the vital role clean water plays in public health and safety.
The U.S. Department of Homeland Security has long warned of the vulnerabilities present in the nation’s critical infrastructure, and water treatment facilities are often regarded as particularly susceptible to cyberattacks. A report by the U.S. Government Accountability Office (GAO) published in 2021 found that many water utilities lacked the resources and expertise necessary to defend against cyber threats, and were using outdated systems that could easily be compromised.
Industrial control systems (ICS), like those used in water treatment facilities, are a prime target for cybercriminals. These systems have historically struggled to balance the demands of modern cybersecurity with the functionality of older, legacy equipment. In many cases, facilities are still operating on outdated hardware and software that may not have been designed with cybersecurity in mind. As more facilities move towards greater connectivity and automation, the attack surfaces available to hackers grow wider.
Arkansas City’s New Facility: Balancing Innovation with Security
Arkansas City’s water treatment facility is relatively new, having opened in February 2018 at a cost of $22 million. Designed to process up to 5.4 million gallons of water per day, the facility was constructed with the goal of increasing efficiency and cutting down on operational and maintenance costs. The plant’s advanced technology is estimated to save the city as much as 20% annually.
However, while the new facility boasts state-of-the-art systems, questions remain about its cybersecurity posture. Cybersecurity experts warn that the integration of modern technology into industrial processes must be accompanied by robust cybersecurity measures. Without the proper defenses in place, even the most advanced facilities can become vulnerable to attack.
“Just because a city comes out and says, ‘We just upgraded everything, and it’s all new, and we should be good’—well, that’s great, but what about cybersecurity?” Waldman asked. “Some cities are not making a proper investment into securing their critical infrastructure. My city did that exact thing: I know for a fact that they did not upgrade cybersecurity, but they spent around $14 million or more to upgrade all the infrastructure.”
Cybersecurity: An Afterthought in Municipal Budgets
The issue of underinvestment in cybersecurity is not unique to Arkansas City. Across the country, municipal budgets often allocate significant funds for infrastructure improvements without providing an adequate amount for cybersecurity. This can leave newly upgraded facilities vulnerable to attack, as was seen in this case.
The reason for this is multifaceted. Many municipal governments are working with limited budgets and may not fully understand the importance of cybersecurity. Others may assume that the new systems they are purchasing come with built-in security, without realizing that specialized cybersecurity measures are needed for critical infrastructure.
Waldman believes that stronger regulatory standards are needed to address these gaps. He has called on Congress and the Environmental Protection Agency (EPA) to pass new cybersecurity requirements for water treatment facilities and other critical infrastructure. “The EPA and Congress need to step up and get that new EPA standard for cybersecurity passed,” he said. “They tried to do it before, and then they got sued. And what did we give up? Weeks after that, Iran launched a bunch of attacks on water systems in the United States. Because, big surprise, Iran reads the U.S. news.”
In recent years, there have been several high-profile cyberattacks on water systems in the U.S., including an attempted poisoning in Oldsmar, Florida, in 2021. In that case, hackers breached the city’s water treatment plant and tried to increase the levels of sodium hydroxide, a dangerous chemical, in the water supply. Fortunately, the attack was thwarted before any harm was done, but it underscored the real-world dangers of these kinds of cyberattacks.
The Path Forward: Strengthening Cybersecurity in Critical Infrastructure
Incidents like the one in Arkansas City highlight the urgent need for more robust cybersecurity in critical infrastructure. The consequences of a successful attack on a water treatment facility could be catastrophic, potentially leading to widespread illness or even loss of life.
To address this growing threat, experts recommend a multi-layered approach to cybersecurity. This includes not only investing in the latest technology, but also conducting regular security assessments, implementing real-time monitoring, and training staff to recognize and respond to potential threats.
Additionally, collaboration between the public and private sectors is essential to improving the security of critical infrastructure. Many cities and towns lack the resources to develop and implement comprehensive cybersecurity strategies on their own. By working with cybersecurity firms, municipalities can gain access to the expertise and tools needed to protect their facilities.
Manual Mode: A Temporary Fix
As of now, Arkansas City’s water treatment plant remains in manual mode while experts work to resolve the issue and restore normal operations. The transition to manual mode may have prevented further damage, but it is not a long-term solution. Manual operation places significant strain on workers and increases the risk of human error. As such, returning to fully automated systems will be a top priority once the facility is deemed secure.
The incident serves as a stark reminder that no system is immune to cyberattacks, and even small cities and towns must take cybersecurity seriously. While Arkansas City was fortunate that no harm came to its water supply, the next town might not be so lucky.
The Role of Federal Oversight
Federal oversight and regulation could play a crucial role in strengthening cybersecurity at water treatment facilities. In addition to passing new cybersecurity standards, the federal government could provide funding and resources to help municipalities implement these standards. This could include grants for cybersecurity upgrades, as well as technical assistance in developing and maintaining security protocols.
Currently, the EPA has limited authority to regulate cybersecurity in water systems, but experts believe that expanding this authority could help prevent future attacks. By working together, municipalities, federal agencies, and cybersecurity firms can ensure that critical infrastructure remains safe and secure.
As Arkansas City’s water treatment facility works to return to normal operations, the incident will likely serve as a case study for other municipalities across the country. The lessons learned from this breach could help inform future cybersecurity efforts and prevent similar incidents from occurring elsewhere.
For now, residents of Arkansas City can take comfort in knowing that their water supply remains safe, and city officials are doing everything in their power to protect it. But the incident has revealed a vulnerability that will need to be addressed not only in Arkansas City, but in communities across the United States. As cyber threats continue to evolve, so too must the defenses protecting our most critical resources.
