In 2018, in the aftermath of Hurricane Florence, hackers attacked the North Carolina Water and Sewer Authority. The attackers encrypted the databases, leaving employees out of the system, and then asked a ransom to release the system. The decision makers didn’t pay the ransom, and they were forced to rebuild their information systems from scratch.
Attacks like this are becoming more common nowadays, due to worldwide digitalization. Technological advances have made our water supply more efficient. For example, they can automate the water chemical treatment, or enable electronic billing. However, the same advances make the system more open to cyberattacks. Read on to learn what vulnerabilities impact water systems most, and how to enhance your security against common cyber attacks.
What Makes Water Systems Vulnerable to Cyber Attacks
The New York Times calls water systems “the perfect target for cybercriminals”. A perfect storm of conditions causes infrastructure sectors, such as water and wastewater systems, to be open to vulnerabilities and attacks. Below, you’ll find a review of two main challenges critical infrastructure face.
- Legacy systems
Water systems are operated by their industrial control system (ICS), a software system which controls the utility’s operations. In most cases, an ICS consists of new technologies layered on top of legacy systems. The mix of new and old systems often presents compatibility problems.
Until recently, water systems were kept physically separated from any connected computer. This disconnection, or “air gap”, made them harder to attack. This is not the case anymore. Nowadays, the facilities are controlled by computer systems connected to the Internet, but in many cases they are outdated.
In 2016, attackers altered the waters’ chemical treatment during a suspected terrorist attack, supposedly to cause a public health crisis. The location of the plant was not disclosed due to security reasons. In the end, it turned out that the utility was managed by an outdated computer system with poorly protected administration credentials.
Interconnectivity of Cyber Physical Systems
A Cyber-Physical System is the combination of computing components and physical components, such as sensors and actuators. CPSs are used for infrastructure systems such as water or energy utilities.
CPS components are connected by a network and work in a feedback loop. That makes it is easy for attackers to take out the entire system by targeting individual components. For example, attacking the Supervisory Control and Data Acquisition (SCADA) workstations or Programmable Logic Controllers.
Types of Attacks on Water Systems
Attacks on water systems can cause security incidents such as:
- Operations disruption—such as chemical treatment or supply by manipulating valves, overriding alerts, or disabling equipment.
- Sensitive data breach—attackers can enter the utility’s billing system and extract credit card information.
- System hijack—using ransomware attacks to stop operations.
The goals of the attackers are to compromise the function of the water system or extract confidential information. When the primary goal of the attack is to extract information, sometimes attackers lurk undetected in the system for long periods of time. Some of the most common attack methods include:
- Denial of Service (DoS)—an attacker instructs a software to flood the utility server or network with false requests. The system gets overwhelmed and is unable to attend requests from users.
- Ransomware—is a type of malware that encrypts and takes control of a system, refusing to release it until money is paid. The attacker scrambles the data until is not recognizable, protecting it with a password, or encryption code. The targeted company needs to pay a monetary ransom to get the password to decode their data.
- Spear-phishing—the attackers use fake websites or emails to trick users into downloading malware or disclose confidential data.
- Spyware—a type of malware that monitors user activity.
- Heartbleed attack—it is a flaw in a popular form of data encryption that lets attackers steal information from a computer’s memory. The heartbleed vulnerability affected every other Internet of Things device, and was detected following a wave of attacks a few years ago. One of the devices affected by this vulnerability was a very popular Industrial Control System. Yes, one of the most commonly used ICS in power plants and water facilities contains the heartbleed bug and could be exploited. Fortunately, a patch for this bug was developed and many organizations apply it. However, some outdated systems remain that still haven’t applied the patch, and are still vulnerable.
The number of attacks on infrastructure, especially water systems, has increased in the past years. Here are some real examples of how attackers can target a water utility network:
- Exploiting outdated systems—in this incident, the attackers gained access to the system, manipulating the water flow and the chemicals for water treatment. The attackers also extracted customer data via the company paying system. Adding a payment card industry security framework can help prevent attackers from extracting and using customers’ data.
- Ransomware attack—the attackers performed a ransomware attack disrupting the systems of the Atlanta Department of Watershed Management. Employees couldn’t turn on their computers or gain Internet access for a week. The recovery took months and up to $5 million in costs.
- Spear phishing—an employee was tricked by the attackers into clicking on a malicious email link. The link downloaded malware into the system via the employee’s computer The attackers then used the employee’s credentials to get control of the network and perform a ransomware attack, locking users out of the system. The utility’s operations were disrupted, affecting the water supply for all the city. This attack highlights the importance of access controls, as well as employees cyber security awareness.
- Vulnerability exploit—attackers found a vulnerability in an outdated wireless Internet connection of an ICS belonging to a water and sewage authority. They disrupted operations on and off for two months, changing the water flow and disrupting the sewage flow. This attack highlights the importance of keeping systems updated and constantly scanning networks.
Security Practices for Securing a Water Utility System
You can use the following practices to reduce the exploitable vulnerabilities and defend the network from attacks.
- Multilayer defense approach—it is a good practice to implement multiple security layers that can effectively monitor and detect threats. Practices such as constant monitoring, patch management and automatic security upgrades are a must.
- Network segmentation—the customer and industrial networks of a water utility need to be kept separated as much as possible.
- Have a contingency plan—the systems should be able to work offline to prevent supply disruptions. This includes preparing and testing emergency response and business continuity plans.
- Keep an inventory of equipment—as well as practice constant monitoring. Utilities should control the exposure of critical equipment such as Control System Devices to external networks.
- Use access control methods—such as access control lists and role-based access controls.
- Maintain a strong password policy—for using only strong passwords, and avoid using default vendor passwords.
- Keep systems updated—by automating updates and implementing patches.
- Create a security culture—by creating security awareness training programs for employees.
- Develop an incident response plan—have a detailed plan that enumerates the steps to take when a security incident occurs.
The Bottom Line
Critical infrastructure systems are evolving, incorporating new technologies to the old systems. The resulting connected network of equipment and control systems broadens the attack surface. Attackers take advantage of this, exploiting vulnerabilities and attacking water plants around the world. Most attackers go after the money, but an increasing number are using the attacks as a form of political activism. After all, disrupting water supply as a war attack is not new.
The latest attacks have made cyber security a top concern for the water sector. Most of the attacks mentioned in this article could have been prevented by following basic security practices. A proactive approach and following the tips mentioned here, can help you ensure the safety of such a critical resource.