America’s outdated infrastructure is at risk of cyberattacks that hackers could turn into ‘weapons of mass destruction’ against the public, an expert has warned.
Cybersecurity expert Dan O’Dowd told DailyMail.com that the US’ power grid, water treatment plants and other critical facilities use commercial software that ‘was never intended to be used in systems which people’s lives depend on.’
These systems have default passwords that have not been updated and single logins, making them vulnerable to malicious activity.
O’Dowd explained that hackers could infiltrate water treatment plants and flood drinking water supplies with raw sewage or overload systems with lethal doses of the chemicals usually used to kill bacteria.
The warning comes two days after the Environmental Protection Agency (EPA) sounded the alarm about an increase of water supply attacks, most recently after a Russian cyber group targeted systems in Texas, forcing one city’s system to overflow before it could be shut down.
The EPA issued an alert that water systems aren’t being protected, and many have default passwords and single logins that make it easy for hackers to access the system. Pictured: the screen of the Unitronics device that was hacked at the Municipal Water Authority of Aliquippa, Pennsylvania
‘Connecting the power grid, hospitals, and millions of cars to the Internet with software riddled with millions of bugs and security defects has turned these systems into weapons of mass destruction,’ said O’Dowd, who is the CEO of the safety and security company, Green Hills Software.
‘Ordinary commercial software was never intended to be used in systems which people’s lives depend on.’
Commercial software was designed to keep intruders out of important systems by detecting unauthorized access to systems and alerting the administrators to potential threats.
There are already signs our water systems are vulnerable – in November of last year, the Iranian-linked group ‘Cyber Av3ngers’ forced a Pennsylvania town’s water provider to switch from a remote pump to operate manually.
They reportedly targeted an Israeli-made device used by the utility in Aliquippa in response to the Israeli-Hamas War.
The hackers took over the programmable logic controller (PLC) – industrial computers that regulate the water pressure at pumping stations – but information about how they conducted the attack has not been released.
The China-based cyber group, Volt Typhoon, compromised the information of multiple critical infrastructure systems across the US and its territories.
The FBI reported that Chinese hackers had access to US infrastructure for up to five years before it carried out its attack in January that compromised IT environments of critical infrastructure organizations.
The agency didn’t specify where the attacks occurred, but said they primarily targeted key infrastructure in ‘Communications, Energy, Transportation Systems, and Waste and Wastewater Systems Sectors — in the continental and non-continental United States and its territories.’
Russian hackers called the Cyber Army of Russia Reborn (CARR), remotely accessed a water tower in Muleshoe, Texas. It released thousands of gallons of water (pictured) and placed the town in a state of emergency
In November of last year, the Iranian-linked group ‘Cyber Av3ngers’ forced a Pennsylvania town’s water provider (pictured) to switch from a remote pump to operate manually
Last month, Russian hackers called the Cyber Army of Russia Reborn (CARR), remotely accessed a water tower in Muleshoe, Texas.
The attack caused the tower to overflow with thousands of gallons of water for nearly an hour.
The group posted a video on Telegram showing them manipulating the control systems by changing the values and settings to reset the hour meter and change the well system to release the water.
The most common way hackers can gain access to databases is by guessing the passwords through trial and error or by using a computer program that rapidly tried different passwords until it finds the correct one.
Another method is by using a SQL (Structured Query Language) tool that lets hackers insert their own code into a website that can breach the system’s security measures and obtain protected data.
Water utility plants rely on computer software to operate its treatment plants and distribution systems but if malicious actors hacked the US water systems it would cause millions of casualties, O’Dowd warned.
An attack that floods America’s drinking water with lethal chemicals would also destroy the majority of crops, causing severe food shortages and leading to thousands of deaths.
If cybercriminals ‘completely shut off the water supply, or worse still overload the system and damage it beyond repair, it could take months to replace,’ O’Dowd said, explaining hackers could also steal customer data.
‘Critical infrastructure systems such as water treatment plants are weapons of mass destruction when they are connected to the internet with vulnerable software,’ said O’Dowd.
The EPA and Federal Bureau of Investigations (FBI) outlined steps needed to secure the US water systems including reducing the exposure to public-facing internet and conducting cybersecurity assessments regularly.
They strongly recommended immediately changing default passwords, developing response and recovery plans and conducting cybersecurity awareness training.
‘Protecting our nation’s drinking water is a cornerstone of EPA’s mission, and we are committed to using every tool, including our enforcement authorities, to ensure that our nation’s drinking water is protected from cyberattacks,’ said EPA Deputy Administrator Janet McCabe.
However, O’Dowd expressed concern that those steps won’t be enough, saying it’s imperative ‘we replace the vulnerable, commercial grade software that controls these systems with secure un-hackable software like that used to secure our nuclear forces.’
Electrical grids, hospitals and traffic control centers, among others are also at risk of cyberattacks by countries, criminal gangs and domestic or foreign terrorists.
The aging infrastructure used for the electrical grids has left it susceptible to hackers because the control and data networks haven’t been updated or had additional security measures added to meet the growing threats of cyberattacks.
Likewise, many hospitals use medical devices with older operating systems that are difficult to update, making them easy targets for hackers to access sensitive healthcare information.
The outdated infrastructure software has continued to make the US vulnerable to other countries like China, Russia and Iran who are ‘actively seeking the capability to disable U.S. critical infrastructure, including water and wastewater,’ McCabe told AP News.
‘We cannot allow terrorists or foreign states to strike at the heart of our country, just as we would never leave our nuclear launch codes lying around for anyone with an internet connection to access,’ O’Dowd said.
‘We must apply the same rigorous standards of software security we demand for military applications to the critical infrastructure that society and millions of lives depend on.’
DailyMail.com has reached out to the EPA for comment.