ACID Technologies helps water suppliers protect themselves by detecting the first signs of an impending cyberattack – as early as in its planning stage, and providing real-time, detailed alerts that enable the targeted suppliers to implement effective preventive measures
Cybersecurity for water systems must be prioritized
Cyberattacks against water and wastewater systems are not a new phenomenon.
In October 2021, CISA (the US Cybersecurity and Infrastructure Security Agency) issued an alert based on analyses of the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Agency (CISA), the Environmental Protection Agency (EPA), and the National Security Agency (NSA), highlighting ongoing malicious cyber activity – by both known and unknown actors – targeting the information technology (IT) and operational technology (OT) networks, systems, and devices of U.S. Water and Wastewater Systems (WWS) Sector facilities. This malicious activity included attempts to compromise system integrity via unauthorized access and threatens the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities.
According to CISA, about 153,000 public drinking water systems in the USA supply more than 80% of the country’s population with potable water. More than 16,000 publicly owned wastewater treatment systems in the USA treat the sanitary sewage of about three-quarters of the population. Many of the systems are small, with limited budgets and outdated technological systems with little to no effective protection.
CISA considers the supply of water and the management of wastewater as “national critical functions” that are “so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
The US Department of Energy pointed out that systems control and data acquisition (SCADA) systems used to manage automated physical processes essential to water treatment and distribution systems have become standard in medium to large drinking water utilities and in many small water systems. The integration of more computer technologies into water systems’ routine operations increases the vulnerability of drinking water utilities to cyber threats.
In the aftermath of the cyberattack on the water system of Oldsmar in Florida (see below), former CISA director Chris Krebs admitted that “unfortunately, that water treatment facility is the rule rather than the exception.”
In April 2022 CISA director Jen Easterly, appearing before the House Appropriations subcommittee, said: “I would draw your attention in particular to water. Water entities that, frankly, are very target rich – as we saw with Oldsmar in February of 2021 – but resource poor, and so being able to provide grant money to help them raise their cybersecurity baseline, I think, is really important.”
The supply of water and the management of wastewater are “national critical functions… so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
(CISA, USA)
Harm that can be caused due to the absence of effective cybersecurity for water and wastewater systems
The US Environmental Protection Agency (EPA) identifies the serious harm that can be caused by cyberattacks on water and wastewater systems:
- Upsetting treatment and conveyance processes by opening and closing valves, overriding alarms or disabling pumps or other equipment.
- Defacing the utility’s website or compromising the email system.
- Stealing customers’ personal data or credit card information from the utility’s billing system.
- Installing malicious programs like ransomware, which can disable business enterprise or process control operations. These attacks can compromise the ability of water and wastewater utilities to provide clean and safe water to customers, erode customer confidence, and result in financial and legal liabilities.
Cyberattacks on water and wastewater systems can not only compromise the supply of cleans and safe water to users, but can also cause illness, place lives at risk, and lead to widespread panic. Furthermore, disrupting the operation of these systems can impact on other critical services, such as the provision of medical services in healthcare facilities, and firefighting.
When the attacks take place during periods of drought, they are particularly worrisome, as alternative sources of water are often unavailable.
Attacks that demonstrate the urgent need for cybersecurity for water and wastewater systems
- South Staffordshire PLC, UK: In August 2022, the water supplier was the target of a Clop ransomware attack, as reported by CPO Magazine. The attackers claimed to have accessed the company’s SCADA systems and accessed 5TB of data, but avoided encrypting its computers. South Staffordshire claimed that the attack did not prevent it from providing safe water to its customers. In their announcement, the cybercriminals misidentified their target, claiming that it was Thames Water, the largest water utility and sewage treatment facility serving Greater London and the surrounding areas.
- Oldsmar water treatment facility, Florida, USA: In February 2021, the control system of the water treatment facility serving Oldsmar, a town in Florida with a population of 15,000, was hacked. The attacker reportedly gained access through widely shared login credentials. Using an administrator’s mouse, the hacker proceeded to temporarily raise the levels of sodium hydroxide (commonly known as lye or caustic soda) which is added to the water from 100 parts per million to the highly toxic level of 11,100 parts per million. Thankfully, an operator noticed the movement of the mouse, returned the values to their normal level and alerted the authorities. Had the attack gone unnoticed, it would have endangered the health of the town’s population. An investigation revealed that this attack might have been part of a much broader one targeting the water supply system in Florida.
- Water treatment plant in San Francisco, California, USA: A hacker gained access to the water treatment plant’s systems in January 2021, using a former employees TeamViewer account credentials. They then deleted programs that are used in the treatment of the drinking water. The attack was detected the following day, at which time the programs were reinstalled and the passwords changed.
- Cambridge Water and South Staffs Water, UK: The water supplier to a population of about 1.6 million people suffered a ransomware cyberattack, which it claimed disrupted its IT systems, but did not affect its ability to safely provide water to its customers. The hacker stole data and published some of it online.
- Pumping stations and treatment facilities, Israel: In the spring and summer of 2020, cyberattacks were launched against pumping stations and wastewater treatment facilities in Israel, purportedly to change the chlorine levels in the water. The attack could have compromised the health of many thousands of citizens, and shut down their water supply. The suspected cyber criminals are an Iranian group, possibly government sponsored.
ACID provides cost-effective cybersecurity for water and wastewater systems
ACID offers an effective solution for water and wastewater systems operators: It deploys clusters of bots and implements advanced AI algorithms in order to detect the first hint of an attack in the clear, deep and dark web, as well as in multiple other sources, as early as in its initial planning phase. Once such an intent is detected, ACID alerts the target of the attack in real time and transfers all the available information to them – including screenshots of threats detected on the dark web and deep web, which they may be reluctant or incapable of accessing themselves. ACID continues to monitor the sources, using client-specific keywords in several languages, and provides updates with any additional data as it becomes available. While ACID continuously monitors a great number of sources, additional sources and keywords can easily be added upon request.
The real time alerts provided by ACID at the first sign of an attack, and the subsequent updates with additional information as it becomes available, enable the IT teams of the targeted system operator and water and wastewater treatment provider to prepare and implement countermeasures that will mitigate the impact of the attack, or possibly thwart it altogether. Water and wastewater system operators are thus supported in avoiding disruption in the supply of water and malicious activity that could endanger the health, and even lives, of their customers.