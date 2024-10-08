American Water Cyberattack - Expert’s Thoughts

October 2024 by Craig Birch, identity security expert and Principal Security Engineer at Cayosoft

Reaching out with an expert’s perspectives on the ransomware attack on American Water that was announced this week. Craig Birch, Principal Security Engineer and Technology Evangelist at Cayosoft, is a cybersecurity industry veteran with over 20 years of experience in identity management and protection. He said the following about the attack:

"We continue to see a rise in cyberattacks against our Water Systems and other critical infrastructure, in large part due to poor identity hygiene which is making systems exploitable. Many of these systems still rely on outdated technologies that cannot support modern authentication methods, such as multi-factor authentication (MFA), leaving them highly vulnerable to credential-based attacks. In numerous cases, water utilities and critical infrastructure operators continue to use default system credentials, active credentials tied to stale or orphaned accounts and allow unmanaged convergence between Information Technology (IT) and Operational Technology (OT) networks. These vulnerabilities create easy entry points for cybercriminals, who exploit compromised identities to gain unauthorized access, disrupt essential operations, and manipulate critical processes.

Recent attacks underscore the impact of poor identity practices on the severity of such incidents. In 2023, water facilities in Paris and Israel were targeted by cybercriminals who exploited weak or default credentials and outdated access controls to breach critical systems. These cases highlight the growing threat facing critical infrastructure from increasingly sophisticated adversaries. Addressing identity hygiene is no longer optional—it is a necessity. To effectively safeguard these systems, we must implement and enforce modern identity and access management practices. These include requiring MFA, managing identity lifecycles to eliminate stale accounts, removing standing privileges, following Zero Trust principles, and enforcing stricter segmentation between IT and OT networks."