Around a third to a half of all of Arizona’s water utility systems are already compromised, with hackers lying in wait to launch potentially devastating attacks that could destroy infrastructure, sow chaos and leave an untold number of Arizonans without access to running water.
That’s the best-guess assessment from Alec Davidson, a cybersecurity expert at the Water Information Sharing and Analysis Center, who last week joined the Water Infrastructure Finance Authority (WIFA) ongoing discussion about threats and vulnerability in Arizona’s water systems — and how to stop them.
“I can say with almost certainty that there are cyber actors that are on Arizona water utility networks as we speak,” Davidson told the WIFA board. “(They’re) either doing reconnaissance so they can steal something and make a profit — or, more nefariously, they are some kind of nation-state-backed actor who is pre-positioning themselves to do some malicious or disruptive or even destructive activity at a later date in the event of some kind of geopolitical conflict.”
And getting them out of our systems is going to be wildly expensive.
It doesn’t cost much to prevent a hack, Davidson explained. There are lots of free best practices and cheap tools that water utilities can use to ensure they don’t get hacked.
But once hackers are in, it can be nearly impossible to find them — and the price of clearing out hackers and securing one compromised critical infrastructure system can run from the millions to the tens of millions of dollars, Davidson said.
Arizona has hundreds of water utilities — so we’re talking hundreds of millions, potentially billions, of dollars just to get the hackers out of our systems.
That’s not even preventing future attacks.
Back in May, we attempted to scare the hell out of you by telling you about a few of the attacks on water infrastructure that have already happened around the nation.
But a quick recap can’t hurt.
In 2021, a Florida water-plant operator watched as the cursor on a computer screen began moving around and opened the plant’s control system. The unknown cyber intruder raised the water’s caustic lye additive levels from a harmless 100 parts per million to a skin-burning 11,100 parts per million. The staffer yanked the numbers back before the dangerous water entered the delivery system, officials reported in the aftermath.
In February of last year, a Russia-linked hacktivist group livestreamed itself poking around a small Texas town’s control screens. They flipped one pump on long enough to overflow a storage tank; water floods down the street for more than half an hour. The attack coincided with similar attacks in three other Texas towns. In all cases, the utility managers had to “unplug” the systems and operate them manually until the breaches were resolved.
Last October, the United States’ largest water and sewer utility, American Water, serving 14 million people in 14 states, spotted “unauthorized activity” inside its corporate network. The company yanked customer-billing, call-center and other IT systems offline “to protect our customers’ data and prevent any further harm,” it told regulators in an SEC filing. The outage froze online payments for almost a week.
And those are just a small sample of the hacks that we know about against water infrastructure. Most of the attacks likely go unreported — or more terrifyingly, we don’t even know they happened.
Arizonans get their water from a patchwork of providers, from the giant Central Arizona Project, to municipalities like Phoenix Water, to small rural companies and nonprofit cooperatives that serve just a few hundred or a few thousand customers.
And while the big corporations and municipal utilities usually have some level of cyber security sophistication, many small providers are run by tiny teams operating on thin margins and without the kind of basic protection and security plans that could ward off attacks.
In fact, in many cases, we don’t even know which is which.
As part of its dive into cybersecurity, WIFA polled water utilities in Arizona that serve more than 3,300 customers about their data and infrastructure security practices.
Of the 141 systems that qualified, 120 responded.
Of those, only 35 said they’d done a cybersecurity assessment.
Nearly as many, 32 water utilities, wouldn’t give WIFA any information at all. And that includes some of the largest water providers in Arizona.
Part of the problem, per Arizona’s Chief Information Security Officer Ryan Murray, is that the state doesn’t actually have any statutory authority to compel companies to tell them about their security plans.
And those security plans may quickly become important.
Davidson explained that one of the big fears in the cybersecurity community is that China will invade Taiwan in 2027. What’s that got to do with Arizona’s water infrastructure?
The Chinese actors currently hiding in our critical infrastructure software may spring into action, he explained.
“We assessed that even though we’re not sure that the U.S. would get involved or how they would respond, just in case … China would likely launch some type of disruptive or massive destructive attack on our critical infrastructure organizations, to slow us down, to stop us from mobilizing to defend Taiwan and also just to sow chaos here in the homeland,” Davidson warned.
And the federal help through the Cybersecurity and Infrastructure Security Agency (CISA) that local organizations leaned on is no longer available, Murray warned. CISA currently has zero permanent staff in Arizona — the two people who were assigned here have left since Donald Trump got reelected and started slashing the agency’s budget. (It also does election security.)
That has been a massive problem within the public sector cybersecurity community.
If not CISA, who can we rely on to protect our critical water infrastructure from such attacks?
Volunteers, unfortunately.
Former Deputy National Cyber Director Jeff Braun is starting a volunteer water and wastewater cybersecurity force through DEF CON to put volunteers together with utilities that need support.
The state is still identifying systems to beef up, then will begin vetting the volunteers, Murray told the WIFA board. That wasn’t exactly comforting news to WIFA Vice Chairman Pete Kim, who has spearheaded WIFA’s conversations about cybersecurity and asked the obvious question: Why are we relying on volunteers?
“The candid answer is we have nothing else,” Murray replied. “My staff is limited, our federal partners are limited, local partners are incredibly limited. … There’s nothing else, so we have to find creative solutions to do it.”
With the infinite risk that cybersecurity presents, the funding need is also infinite, Murray told the board. But doubling his office’s current budget of $20 million would be a good start.
But finding another $20 million in state money will be tough in this economy.
Lawmakers at the state and federal levels have failed to pass infrastructure security legislation, even without any funding attached.
Last year, Republican state lawmaker Nick Kupper proposed HB2696, which would have outlawed using software for critical infrastructure that is produced by a company headquartered in an adversarial foreign country. But the bill never made it to the governor’s desk.
At the federal level, U.S. Sen. Ruben Gallego introduced the Water Cybersecurity Enhancement Act with bipartisan support. It would have provided federal grants for cybersecurity enhancements to water infrastructure systems. But it never even got a hearing.
Until we have the political will and the cash to pump massive amounts of money into addressing our cyber weaknesses, our water infrastructure will remain vulnerable.
Arizona’s growing fast, and every new bridge, school, and neighborhood we build should reflect the best of us.
That means hiring skilled local workers, paying them fair wages, and giving them careers they can be proud of. When we invest in people, the work lasts longer, the projects run smoother, and our communities grow stronger.
Let’s build Arizona’s future with dignity and pride — and make every job one worth keeping.
Learn more at Rise-AZ.org.
This week, the water that’s grabbing the attention of Arizonans isn’t in an aquifer or flowing down the Colorado River.
It’s 55 million miles away.
A ball of frozen water and rock, AKA a comet, was discovered by University of Arizona astronomers in January and it’s going to be visible to backyard skywatchers this week, thanks in part to the ice that’s vaporized as solar rays hit the comet.
Comet Lemmon, named after the telescope atop Mount Lemmon near Tucson, is leaving behind a trail of ice, gas and dust, all of which makes it glow green in the night sky.
You won’t need a telescope to spot it near the Big Dipper around dusk. All you need is a pair of simple binoculars, according to Carson Fuls, the UA astronomer who discovered the comet.