America’s aging infrastructure is at risk of cyberattacks that could turn hackers into “weapons of mass destruction” against the public, an expert has warned.
Cybersecurity expert Dan O’Dowd told DailyMail.com that the US power grid, water treatment plants and other critical facilities use commercial software that was “never intended to be used in systems on which people’s lives depend.”
These systems have default passwords that are not updated and one-time logins, making them vulnerable to malicious activity.
O’Dowd explained that hackers could infiltrate water treatment plants and flood drinking water supplies with raw sewage or overload systems with lethal doses of the chemicals commonly used to kill bacteria.
The warning comes two days after the Environmental Protection Agency (EPA) raised the alarm about an increase in attacks on water supplies, most recently after a Russian cyber group attacked systems in Texas, flooding one city’s system before it could be shut down .
The EPA has issued a warning that water systems are not protected and that many water systems have default passwords and one-time logins that allow hackers to easily gain access to the system. Pictured: The screen of the Unitronics device that was hacked at the Municipal Water Authority of Aliquippa, Pennsylvania
“By connecting the power grid, hospitals and millions of cars to the Internet with software riddled with millions of bugs and security flaws, these systems have been turned into weapons of mass destruction,” said O’Dowd, CEO of the safety and security company. company, Green Hills Software.
“Ordinary commercial software was never intended for use in systems on which people’s lives depend.”
Commercial software is designed to keep intruders out of important systems by detecting unauthorized access to systems and alerting administrators to potential threats.
There are already signs that our water systems are vulnerable: last November, the Iranian-affiliated group ‘Cyber Avengers’ forced the water supplier of a town in Pennsylvania to switch from a remotely operated pump to a manually operated pump.
They reportedly targeted an Israeli-made device used by the utility company in Aliquippa in response to the war between Israel and Hamas.
The hackers took over the Programmable Logic Controller (PLC) – industrial computers that control water pressure at pumping stations – but information about how they carried out the attack has not been released.
China-based cyber group Volt Typhoon has compromised the information of multiple critical infrastructure systems in the US and its territories.
The FBI reported that Chinese hackers had access to US infrastructure for up to five years before launching the attack in January that compromised the IT environments of critical infrastructure organizations.
The agency did not specify where the attacks took place, but said they primarily targeted key infrastructure in the sectors “communications, energy, transportation systems, and waste and wastewater systems – in the continental and non-continental United States and its territories.”
Russian hackers, the Cyber Army of Russia Reborn (CARR), have remotely accessed a water tower in Muleshoe, Texas. Thousands of liters of water were released (photo) and the city was placed in a state of emergency
In November last year, the Iranian-affiliated group ‘Cyber Av3ngers’ forced the water supplier of a Pennsylvania city (pictured) to switch from an external pump to manual operation
Last month, Russian hackers, dubbed the Cyber Army of Russia Reborn (CARR), had remotely accessed a water tower in Muleshoe, Texas.
The attack caused the tower to flood with thousands of liters of water for almost an hour.
The group posted a video on Telegram showing how they manipulated the control systems by changing the values and settings to reset the hour meter and alter the well system to release the water.
The most common way hackers can gain access to databases is by guessing the passwords through trial and error or by using a computer program that quickly tries different passwords until it finds the right one.
Another method is to use a SQL (Structured Query Language) tool, which allows hackers to insert their own code into a website, thereby breaking the system’s security measures and obtaining protected data.
Water utilities rely on computer software to control their treatment plants and distribution systems, but if bad actors were to hack into U.S. water systems, it would cause millions of casualties, O’Dowd warned.
An attack that floods America’s drinking water with deadly chemicals would also destroy the majority of crops, causing severe food shortages and killing thousands.
If cybercriminals “completely shut off the water supply, or worse, overload the system and damage it beyond repair, it could take months to replace it,” O’Dowd says, explaining that hackers can also steal customer data.
“Critical infrastructure systems such as water treatment plants are weapons of mass destruction when they are connected to the internet with vulnerable software,” O’Dowd said.
The EPA and the Federal Bureau of Investigations (FBI) outlined the steps needed to secure America’s water systems, including reducing exposure to public internet and conducting regular cybersecurity assessments.
They strongly recommended immediately changing default passwords, developing response and recovery plans, and conducting cybersecurity awareness training.
“Protecting our nation’s drinking water is a cornerstone of EPA’s mission, and we are committed to using every tool, including our enforcement authorities, to ensure our nation’s drinking water is protected from cyberattacks,” EPA said -Deputy Administrator Janet McCabe.
However, O’Dowd expressed concern that these steps will not be enough, saying it is imperative “we replace the vulnerable, commercial software that controls these systems with secure, unhackable software like that used to secure our nuclear forces .’
Electricity grids, hospitals and traffic control centers, among others, are also at risk of cyber attacks by countries, criminal gangs and domestic and foreign terrorists.
The outdated infrastructure used for the power grids has made them susceptible to hackers as the control and data networks have not been updated or additional security measures added to deal with the growing threats of cyber attacks.
Likewise, many hospitals use medical devices with older operating systems that are difficult to update, making them easy targets for hackers to gain access to sensitive healthcare information.
The outdated infrastructure software continues to leave the U.S. vulnerable to other countries such as China, Russia and Iran, which are “actively seeking the ability to disable U.S. critical infrastructure, including water and wastewater,” McCabe told me. AP News.
“We cannot allow terrorists or foreign states to attack the heart of our country, just as we would never leave our nuclear launch codes lying around for anyone with an internet connection,” O’Dowd said.
“We must apply the same rigorous standards of software security that we demand for military applications on the critical infrastructure on which society and millions of lives depend.”
DailyMail.com has contacted the EPA for comment.