Over the past few months, there is a feeling that every day a different organization has fallen victim to a ransomware attack. While the idea of a ransomware attack isn’t new, the recent headline-grabbing attacks are exploiting the different products and services that we use on a daily basis. This growing trend of cybercriminals attacking different critical infrastructures through industrial cybersecurity attacks has become more lucrative for attackers as they are affecting the way of life which is more devastating for the global community and their victims.
On top of the alarming amount of ransomware attacks, more and more severe vulnerabilities due to remote access have been discovered. This has made it easier for cybercriminals to exploit their targets. One of the most targeted industries that have been affected by poor remote access security is the water utility industry.
Due to the important role of water and wastewater infrastructures in our society, their newly connected systems have become an attractive target for cybercriminals to attack via different attack vectors such as insider and outsider threats and supply chain attacks.
Since the start of 2021, there have been different examples of water plants being successfully attacked by cybercriminals. On January 15th, a water treatment plant in San Francisco was exploited by an attacker who was trying to poison the plant. The cybercriminal gained access by using a former employee’s TeamViewer account credentials. Once the attacker accessed the water plant’s system, they deleted programs that the water plant used to treat drinking water. The attack was only discovered the next day by the water plant and the facility changed its passwords and reinstalled the programs.
A few weeks later another attack on a water plant occurred, and this time it was the Oldsmar Florida water system cyber attack. A hacker gained access into the water treatment system of Oldsmar, Florida, and hijacked the plant’s operational controls. He was able to temporarily drive up the sodium hydroxide content in the water to poisonous levels. Luckily, a plant operator was able to return the water to normal levels.
In 2018, The Department of Homeland Security (DHS) and the FBI warned that the Russian government is specifically targeting the water sector which resulted in the US government forming the Cybersecurity and Infrastructure Security Agency (CISA) to ensure the cybersecurity of critical infrastructure would be prepared for incoming physical threats.
The attack surface of water and wastewater infrastructure will only continue to grow over time. This sparks the priority for stronger cybersecurity and more secure remote access as more water utility organizations will become victims to cyber attacks which could lead to disastrous consequences or even death.
There are close to 200,00 drinking water systems in the U.S. that provide tap water to nearly 300 million Americans. These water systems are in cities, schools, hospitals, office buildings and other places. When critical water or wastewater systems are exploited by a cybersecurity attack, the malicious activity could result in devastating consequences to public health and safety.
Some attacks on water utilities could cause contamination, operational malfunction, and service outages which would result in potential illness and casualties. Additionally, it could result in a compromise of emergency response teams and possibly impact different transportation systems and food supply. Additionally, on top of attacking the physical water utility equipment, the water plant sector entities are in charge of some critical personal data. This personal data is an extremely attractive target for cybercriminals as seen in previous attacks.
Another example of a successful attack on a water utility is the city of Atlanta ransomware attack. In March 2018, the city of Atlanta and Atlanta Department of Watershed Management employees were unable to turn on their work computers or gain wireless internet access, and two weeks after the attack Atlanta completely took down its water department website “for server maintenance and updates until further notice.” It took Atlanta months to recover and an estimated cost of up to $5 million in recovery efforts, to address the attack.
If the recent examples of successful attacks on water infrastructures were not evident on the different security threats, now more than ever water utility companies need to get more serious about how they manage remote access.
Over the past decade, the technology behind water infrastructures and utilities has become more interconnected with OT & IoT devices. The different connected devices such as controllers, sensors and smart meters are being used by water utilities to remotely monitor and manage processes. Unfortunately, they are easy targets for cybercriminals to infiltrate.
For water utilities, smart metering can increase efficiency but it comes with its consequences and remote access is a key entry point for successful attacks. Having poor remote access security can allow cybercriminals from both internal and external to gain access to the main operating system remotely and causing severe community health issues like flooding or contaminating water sources.
There is also the issue of smart meters and water appliances that are deployed by water management organizations that can be infiltrated by cyber attacks. If a smart meter is compromised through an attack or reverse engineering, it would allow cybercriminals to potentially access the metering infrastructure which would provide them the ability to attack and move laterally within an organization’s system and networks.
The different vulnerabilities of smart meters brighten the light on the importance and need for better device protection. It is crucial for organizations that are using connected utility devices such as ICS, controllers, smart meters, sensors, etc. to be properly monitored and managed. By understanding who has access, from where they are accessing and irregular activity to a water utility device it will decrease the chance of a successful remote attack on the water systems.
Water and wastewater organizations need to prioritize security and this starts with setting aside the proper amount of resources and attention in protecting their company’s infrastructure and equipment. This process starts with getting a deep understanding of the different security risks that are presented with water and wastewater systems and which steps need to be done to ensure better security.
With the increasing number of successful attacks on water plants and more awareness of the different risks with water utilities, more organizations are slowly starting to understand the significance of implementing the right security practices when it comes to securing their IT and OT systems. As water plants adopt more smart sensors and other IoT devices to automate and modernize their water-based process, it will create new exploitable entry points for cybercriminals to exploit remotely and move laterally within the organization systems.
As water technology continues to advance, so do the different risks that come with it. By adopting more connected technologies and devices it has forced water organizations to connect to the internet which has resulted in more remote access entry points which have caused the increase of security events. This trend has resulted in security teams updating their security approach to one that fits for better remote access security and a new approach for OT security.
While not every water utility company has made the right steps for a more secure water plant, the awareness has led to changes in the water industry. Some companies and cities like The city of Hutchinson have taken a more proactive approach when securing their connected OT equipment with a passive network monitoring solution, specifically designed for OT environments. Now, the city of Hutchinson is securing all their water production, treatment divisions operate and maintain reverse osmosis (RO) water treatment center, 20 water wells, 2 booster pump stations, 4 water storage towers, 2 Class I disposal wells, and all of their groundwater remediation facilities all in one platform.
As water and wastewater organizations continue to become a more attractive target for cybercriminals, it's best to be prepared for any kind of attack on water utilities by now taking action and mitigating any risks. With a more security-first approach cemented in an organization with the right amount of awareness, water utilizes can continue to expand as their networks do. It is important for decision-makers to consider new security approaches that offer a device-level, security by design that protects their infrastructure for years to come.
To learn more about how SCADAfence protects the water supply of 42,080 Americans in the city of Hutchinson, Kansas, download the case study here.