- October 11, 2018
- Posted by: Kerry Tomlinson, Archer News
- Categories: Archer News, Cyberattack, Hacking, Industrial Control System Security, Posts with image
As you take a sip of water from your glass or bottle, you may not be thinking about how it got there — and the chemicals that went into treating it.
Chlorine, to get rid of bugs.
Diluted sulfuric acid, perhaps, to bring down pH levels.
These chemicals can make your water safer — unless someone could remotely take over the controls and fill your glass with poison.
Could it happen?
A researcher from the Singapore University of Technology and Design says many water plants are not prepared for cyber attack.
“Water utilities, most of the time, don’t even have the tools or the awareness to check and see if they have cyber attacks in their history,” said researcher Riccardo Taormina in a presentation at the Kaspersky industrial cybersecurity conference in Sochi, Russia, last month.
Water treatment facility in Russia. Image credit: iStock
The first successful cyber attack on water control systems was dramatic.
In 2000, an angry worker rejected for a job hacked a waste management system and spilled millions of gallons of raw sewage into parks, buildings and rivers in Maroochy Shire, Australia.
Sewage at a treatment plant in the Maroochy Shire area in Australia, now known as the Sunshine Coast. Image: Unitywater
Later attacks were less destructive, but still worrisome.
In 2016, the Verizon RISK Team described a hacktivist attack on an unnamed water utility, where the cyber invaders actually changed the chemical levels in people’s drinking water.
Luckily, an alert notified the water company about the unusual chemical content before the water could leave the plant.
Hackers were more successful in placing cryptomining malware on the control systems of an unnamed water treatment facility this year, using the plant’s processing power to generate money for themselves and slowing down operations.
Cyber intruders often go for the money, freezing water company computers with ransomware, stealing customer data, or doing reconnaissance for future missions.
Recent water leak in the Maroochy Shire area, now known as the Sunshine Coast. Image: Unitywater
Banks and credit card companies started gearing up for cyber attacks years ago.
But water utilities may have lagged behind other industries.
A McAfee survey in 2010 concluded that water and sewer systems were less likely to have basic, key security measures in place.
Last year, the Department of Homeland Security and the Environmental Protection Agency urged water utilities to check their systems for vulnerabilities and security gaps.
But water utilities still have work to do, according to Taormina.
“Although awareness is on the rise, the incidents show that most of the attacks on water utilities so far could have been easily prevented,” he said to Archer News.
Walk-through model of a water treatment system at the Singapore University of Technology & Design. Image: iTrust & SUTD
More water companies are going digital, changing over their older equipment for new, connected controls.
But Taormina said management does not always consider the security issues that come with Internet connections.
“Consequently, water utilities that spend substantial funds in acquiring these latest technologies often do not take into account all the extra costs needed,” he said. “For instance, to hire security experts, or continuously train existing staff so that their systems are always maintained and secured against ever-evolving and increasingly sophisticated threats.”
Researcher Riccardo Taormina talks about the vulnerability of water utilities at the 2018 Kaspersky Industrial Control Systems conference in Sochi, Russia. Image: Archer News
One of the key security gaps — not separating the computer systems controlling the machines that process your water from the office systems and the Internet, allowing attackers to break in and take over with just an e-mail or other simple hack.
“Very poor separation between IT [information technology] and OT [operational technology] seems to be the major cause of these attacks,” Taormina said.
Other issues include lack of awareness and lack of training, according to Taormina.
“I think they should focus on how to prevent the attacks,” he said. “I also believe that managers in the water sector should consider implementing security guidelines even if compliance is not mandatory but merely voluntary.”
Water treatment tanks at a plant in Bulgaria. Image: iStock
How bad — or good — is the state of water utility cybersecurity in the U.S.?
Archer News contacted the Water Information Sharing and Analysis Center, or WaterISAC, which provides security information for its members — utilities providing water and wastewater service to most of the U.S., according to its website.
The WaterISAC refused to answer questions for this story.
Another water industry group stepped up with helpful information.
“I feel that utilities are moving in the right direction,” said Kevin Morley, federal relations manager with the American Water Works Association who oversees cybersecurity issues.
“Is the job done? No, it’s never done,” he added. “It’s a dynamic threat.”
Water treatment plant in Illinois. Photo by stantontcady on Foter.com / CC BY-ND
There are multiple challenges for water utilities, according to Morley.
Most of the 52,000 water systems in the U.S. are municipal, run by cities or other small governments.
That means salaries for water systems employees may be lower than in other places, making it hard to keep people skilled in cybersecurity.
“I can work at municipal utility ‘X’. It’s a good working salary, don’t get me wrong. But if I can pull three figures somewhere else, that’s tough. It’s not just a water sector issue. That applies to city government, too. That is a challenge,” Morley said.
Water treatment plant in California. Photo by jay galvin on Foter.com / CC BY
Another change — insurance.
Insurance companies want to know that a water utility is at least doing basic cybersecurity measures.
That encourages water utilities to work on security.
“Geico or Progressive want to know I’m a safe driver,” said Morley. “Those underwriters are asking questions. So, there are evolving market-based incentives for utilities to do things. I do feel that utilities are moving in the right direction.”
Help in Small Bites
The skills you need to work at a water plant are evolving, too.
“If I’m a water guy, my job is to make water. It’s not to be a technologist,” said Morley.
And yet in the age of cyber attacks on the underpinnings of your world — power plants, water plants and more — technology is key.
How do you change your focus and skillset?
Morley said the AWWA created special cybersecurity guidance for water systems with that kind of question in mind.
“One of the things we approached when we started developing our guidance was the reality that there’s not a lack of information about good security protocols, it’s just that there’s a lot of information,” he explained.
So, he said, they broke up the big world of cybersecurity guidelines into bite-sized pieces that can be applied to specific water system activities, like remotely checking a pump station at night, for example.
“If you’re going to do that, here are the controls you should have in place,” he said.
Chemical dosing unit at the water plant cybersecurity research center at SUTD. Image: iTrust & SUTD
There is additional help for water utilities.
The Environmental Protection Agency suggested utilities use a tool developed by the National Institute of Standards and Technology to help manage cybersecurity-related risk, Bloomberg reported.
The WaterISAC created guidelines, too, in the form of the 10 Basic Cybersecurity Measures: Best Practices to Reduce Exploitable Weaknesses and Attacks.
Assistant professor Nils Tippenhauer explains the network at a water system research center in Singapore. Image: iTrust & SUTD
We need to better report, study and characterize cyber attacks on water systems because water distribution systems are heavily targeted infrastructures, Taormina said.
He works with testbeds, walk-through models of water treatment facilities and water distribution systems at the Singapore University of Technology and Design.
He and other researchers use the model systems to learn about security gaps in water plants — how to fix them, and which solutions work best.
“We need at least to start to address this problem,” Taormina said. “Our hope is that they could be used by public utilities to better cope with the risk associated to cyberattacks.”
If they don’t, you may see — or taste — the results. In your water glass.
Main image credit: Pixabay