The small city of Arkansas City, Kansas, with a population of 12,000, found itself at the center of a cybersecurity incident that occurred on the morning of September 22. Situated at the convergence of the Walnut and Arkansas Rivers, Arkansas City relies on the latter river as its primary water source for drinking water. The city’s Environmental Services Administration issued a statement indicating that their water treatment facility fell victim to a “cybersecurity incident” on that fateful day. Upon discovery of the breach, authorities were promptly notified, and precautionary measures were put in place to address the situation.
As a precautionary measure, the water treatment facility swiftly transitioned to fully manual operations, as stated by city manager Randy Frazer. This decision was made out of an abundance of caution to ensure the continued safety and integrity of the water supply for residents. Frazer reassured the public that despite the cybersecurity incident, there had been no disruption to the water service, emphasizing that the drinking water remained safe for consumption. The city administration emphasized that cybersecurity experts and government agencies were actively working to resolve the issue and restore the facility to normal operations. Enhanced security measures were implemented to safeguard the water supply, with assurances that there would be no impact on water quality or service delivery for residents.
In light of the incident, industry experts and cybersecurity professionals have weighed in on the significance of the facility’s move to manual operations. Shawn Waldman, CEO and founder of Secure Cyber, highlighted the gravity of resorting to manual mode in response to a security breach. Waldman underscored the challenges and implications of operating a plant in manual mode, emphasizing the importance of avoiding such a scenario unless absolutely necessary.
The incident at the Arkansas City water treatment facility has also brought attention to the vulnerabilities and risks associated with modern industrial control systems. While legacy equipment has long struggled to meet cybersecurity standards, newer facilities designed with enhanced connectivity face their own set of challenges. The new water treatment facility in Arkansas City, boasting advanced technology and operational efficiencies, opened in February 2018 at a cost of $22 million. Despite its state-of-the-art infrastructure, the exact cybersecurity posture of the facility remains undisclosed.
Waldman raised concerns about cities prioritizing infrastructure upgrades over cybersecurity investments, emphasizing the critical need for comprehensive security measures in safeguarding essential services and infrastructure. He called for regulatory bodies like the EPA and Congress to establish stringent cybersecurity standards for critical infrastructure, citing past incidents where lax cybersecurity practices led to vulnerabilities and cyber attacks on water facilities.
As the investigation into the cybersecurity incident at the Arkansas City water treatment facility continues, stakeholders and experts underscore the importance of proactive measures to enhance cybersecurity resilience in critical infrastructure. The incident serves as a stark reminder of the ever-evolving threats faced by essential services and the imperative of robust cybersecurity practices to mitigate risks and safeguard public safety.