The way into one of the largest water utilities in the United States wasn't a pump, a PLC, or a treatment controller. It was a GPS correction box running on lightweight hardware. An Iran-linked group called Handala has claimed a breach of California Water Service, which serves roughly two million customers, and according to a Dataminr Cyber Intel Brief reported by Industrial Cyber, the group released a 5 GB data dump containing customer billing records, personally identifiable information, and administrative credentials for an internal GPS correction network. There is no evidence that water treatment or distribution was disrupted. That is not the same as no harm done.
The detail that should stop every OT security manager: the assessed entry point was an RTKBase deployment, an open-source NTRIP caster that streams centimeter-accurate GPS corrections to field crews mapping and maintaining water infrastructure. It runs on low-overhead hardware, often a Raspberry Pi, and its web administrative interface was reachable on a standard HTTP port across seven district mountpoints. The instance had been online for roughly 783 continuous hours, about 33 days, quietly streaming data the entire time.
The credentials to it were published in plaintext. Handala released the RTKBase administrative password and a mountpoint-level source password directly inside its proof-of-concept dump, along with the full IP range of the GPS network across all seven districts.
Weak boundaries and reusable credentials. Analysts assessed the RTKBase network as the probable initial access vector or lateral pivot into Cal Water's billing environment, two systems that should never have been one hop apart. Once an adversary holds valid administrative credentials, no firewall rule reads them as hostile. They read as authorized.
This is the pattern, not the exception. The billing platform and the GPS network were distinct infrastructure, yet the surveying tool apparently offered a path into customer data. That is a segmentation failure and a credential failure at the same time, and the second one is the one the industry keeps underestimating.
Devices like RTKBase live in the gap traditional security never covered. A certificate authority, a renewal process, and a 300-to-700-millisecond handshake were never going to run on a sub-$100 GNSS base station sitting in a field cabinet. So these endpoints run on static, human-managed credentials, set once and left in place until an attacker finds them. PKI was never viable here, which means there is nothing to modernize. There is a gap to fill.
That is where Autonomous Key Managementâ„¢ operates. AKM delivers encryption and authentication to the constrained, intermittently connected endpoints PKI could never reach, as a lightweight executable that fits industrial hardware. Keys are derived from a pre-shared crypto seed and refreshed every session, autonomously, with no certificate authority to depend on and no renewal to forget.
The single most damaging line in the disclosure is that the credentials were published in plaintext and should be considered fully compromised wherever they were reused. That is the entire problem with persistent credentials: their value to an attacker is identical to their value to the operator, and they keep that value until a human revokes them.
AKM removes that exposure by design. With session refresh, every session is independently verified and no standing credential survives to be dumped, replayed, or reused. Had the GPS network authenticated this way, the contents of Handala's data dump would already be expired material by the time anyone tried to use it. There would be no plaintext password to steal, because there would be no persistent password at all.
Cal Water's GPS box reaching its billing database is exactly the lateral movement a Zero Trust architecture is supposed to stop. AKM is Zero Trust by design: every session is verified independently, there are no standing privileges to escalate, and authentication between functional groupings of systems enables real microsegmentation without PKI overhead. An attacker holding one device's access gets one session, not a standing key to the next system over.
Take the immediate steps the responders called for: get RTKBase and similar NTRIP casters off the public internet, treat every exposed credential as burned, and audit billing-system access logs for the roughly 33-day window the device was live. Then ask the harder question. Across your operational-support estate, the surveying rigs, sensors, gateways, and field controllers PKI never covered, how many are still protected by a password a person typed once and never changed?
Handala took data this time. It also kept the network map and carries wiper malware it has deployed before. The credential that opened the door is the one that has to stop being a permanent key. That is the gap AKM was built to close.
AKMSecure delivers a patented Autonomous Key Managementâ„¢ protocol built to replace outdated PKI approaches with a dynamic, quantum-secure, air-gapped-capable architecture. Instead of relying on persistent credentials that can be stolen, reused, or abused, AKM enables independently verified sessions with no standing privileges left behind. The result is a model that better aligns with Zero Trust principles, reduces certificate-based risk, and supports resilient operations across enterprise IT, OT and Tactical Edge environments. Built to NSA-grade security standards and deployable as a lightweight SDK, AKMSecure helps organizations modernize trust at the protocol layer without rebuilding everything around it.