Hackers Threaten Our Water Supply
Iran has been accused of conducting a cyber campaign targeting Israeli water and sewage facilities in recent months. Reports started circulating after the Israeli Water Authority ordered all personnel to immediately change the passwords to the facility’s systems adding that if “the passwords could not be changed, the system should be disconnected from the internet entirely.” After further investigations, it now appears that a piece of Iranian-written code, seeking to mask its origins, made its way through servers in the US and Europe before arriving at its final target: software controllers that pump water into Israeli homes. Intelligence sources report its goal was to mess with chlorine levels used to treat water for flowing to the Israeli population.
While the cyberattack does not seem to have caused any damage, sources with knowledge of the incident suggested that the water facilities operational systems and chlorine controls may not be adequately protected.
When it comes to water safety here in the U.S., most citizens, regulators, and lawmakers are focused on water scarcity and quality issues stemming from pollution, climate change, and other man-made challenges. The cyber risks to our H2O infrastructure have yet to enter the public debate in the way that vulnerabilities in the electric grid have, despite proven attacks on this critical infrastructure. In 2016, a group of relatively unsophisticated hackers, likely with little knowledge of industrial control systems, infiltrated an unnamed water treatment facility. The attackers compromised the Internet-facing server running the utility’s online payment application, which also contained the credentials for the Supervisory Control and Data Acquisition, or SCADA, system. In this case, the utility’s industrial control systems were running on a 1980s-era IBM machine. From there the hackers were able to manipulate the water treatment process, altering water flow settings and the amount of chemicals used in the treatment process in four separate breaches over the course of two months.
While the attacks caused delays in replenishing water supplies, there was minimal impact on customers because the utility was able to quickly identify and correct the flow and chemical problems. But if a state-backed actor wanted to sow panic in the citizenry during a time of crisis or a sophisticated criminal network was looking for new form of extortion, the infiltration could have been far subtler and the consequences far more serious — cholera, dysentery, or simply non-potable water supplies.
American water utilities are not taking the necessary steps to prevent this kind of disaster. Even as local utilities are embracing digital connectivity to reduce costs, enhance efficiencies, and improve quality, they are not implementing security systems and processes to protect their networks. While internet-connected sensors, for example, can monitor the performance of pump stations, pressure levels, and water quality to prevent unsafe and costly hazards, these same sensors can provide malicious actors with remote access into wells and water main systems. Malware intended to steal billing information can make its way onto operational networks causing an operator to lose control of a system or even to allow an adversary to directly manipulate it. In short, equipment that is remotely accessible is often vulnerable to exploitation from unprotected networks.
Every marginal increase in connectivity, therefore, demands a corresponding increase in security. Most water utility operators, however, simply lack the resources and knowledgeable staff to evaluate their cyber security posture, remediate vulnerabilities, and continuously monitor these opaque networks for incoming or latent threats.
Electric utilities have been working on solutions to these same challenges for years. Our grids benefit from being highly interconnected with exceedingly few single points of failure, having spare equipment sharing programs between and among operators, and robust information sharing mechanisms. But whereas there are roughly 3,000 electric utilities in the entire United States, there are roughly 3,000 water systems in California alone, and nearly 70,000 water and wastewater utilities across the country.
Electric utilities have made significant strides in developing and deploying processes to revert to manual operations if network impairments prevent visibility into operational technology systems or if malware makes such systems unworkable. Perhaps most importantly, the CEOs and Boards of the largest electric utilities have been champions of making — and keeping — cybersecurity a top priority and have actively pushed for closer coordination among industry and with government partners. The investor-owned utilities which serve nearly three quarters of electricity customers in the U.S., in particular, see cybersecurity as a business imperative, not just an audit requirement. This stands in sharp contrast to the nearly 90% of water utilities that are not subject to market forces.
As a result of all of this investment and attention, most grid operators not only meet, but exceed, the cybersecurity standards enforced by the North American Electric Reliability Corporation — a not-for-profit entity, serving more than 400 million people, whose mission is to assure the effective and efficient reduction of risks to the reliability and security of the grid.
It is long past due that the cybersecurity investment and attention paid to the electric grid is turned toward water. Privatization and consolidation will help ensure cutting edge technologies, best practices, and top-level talent flow to the water sector. But this is not enough. The water industry must create a non-governmental, self-regulatory organization to develop and enforce mandatory cybersecurity standards for water utilities. This is exactly what the Energy Act of 2005 did and it has worked. It’s high time the water sector gets the same treatment.
Samantha F. Ravich is a Commissioner on the Congressional Cyber Solarium Commission and the Chair of FDD’s Center for Cyber and Technology Innovation.