When the Water Stops: A Cyberattack Simulation Exposes Critical Infrastructure Vulnerabilities
A recent cybersecurity war game, simulating a catastrophic cyberattack on US water utilities, revealed the devastating, cascading effects such an event could unleash. Experts warn that nation-state actors, particularly China's **Volt Typhoon** group, are actively pre-positioning in critical infrastructure networks, raising alarms about potential real-world disruptions.
A simulated cyberattack on US water utilities quickly escalated from a game to a chillingly plausible scenario, highlighting the fragility of critical infrastructure in the face of sophisticated threats.
**Joshua Corman**, former Cybersecurity and Infrastructure Security Agency (CISA) strategist, led a war game for insurance executives, where a hypothetical attack disrupted 5,000 water utilities across the United States. Within 24 in-game hours, the second-order effects were catastrophic: food refrigeration failed, drug manufacturing stalled, data center cooling systems collapsed, and 2,000 hospitals lost water, forcing evacuations.
Adding to the grim reality, the simulated attack included physical destruction, with a looping video of a burst water main underscoring the long-term repair challenges beyond IT disruption. "Everything depends on water," Corman emphasized, as participants grappled with impossible decisions about resource allocation and client prioritization amid hints of a Chinese military-backed assault.
### The Shadow of Volt Typhoon
The tension in the simulation mirrors real-world concerns. In May 2023, **Microsoft**, the **National Security Agency (NSA)**, and **CISA** collectively announced the discovery of **Volt Typhoon**, a hacking group linked to the Chinese military. This group had infiltrated critical infrastructure networks across the continental US and Guam, targeting manufacturing, telecommunications, and the electric grid.
Initial assessments suggested **Volt Typhoon** was focused on espionage, but subsequent analysis revealed a more sinister intent: "pre-positioning" capabilities to disrupt critical communications and infrastructure during future crises, potentially in anticipation of a conflict over Taiwan.
As tracking continued, it became clear **Volt Typhoon**'s target list extended beyond military-relevant assets. It included a water utility in Hawaii, multiple US ports, an oil and gas pipeline, and hundreds of other entities, some as small as the **Littleton Electric Light & Water Departments** in Littleton, Massachusetts. **Brandon Wales**, former CISA executive director, suggested their goal was to "cause societal chaos in the United States" and influence geopolitical actions.
### Stealthy Infiltration and Future Threats
Even three years after its discovery, **Volt Typhoon**βor its evolved successorsβcontinues to target US electric grids and water utilities. **Joe Slowik**, a former Los Alamos National Labs cybersecurity researcher now leading threat research at **Dataminr**, notes that while some intrusions are caught, many go undetected due to the limited security budgets of municipal utilities and the hackers' advanced "living off the land" techniques, which hijack legitimate network functions instead of deploying malware.
While the scale of 5,000 hacked utilities in the war game is unprecedented, **Jen Easterly**, former CISA director and current CEO of the **RSA cybersecurity conference**, warns that AI could make such mass sabotage far more plausible, especially as offensive AI capabilities potentially outpace defensive ones. Easterly believes that what has been discovered about China's strategy to create access points in critical civilian infrastructure is merely the "tip of the iceberg," with their intent to launch disruptive attacks during a crisis in the Taiwan Strait remaining unchanged.
