Cybersecurity For Water Utilities
ACID Technologies helps water suppliers protect themselves by detecting the first signs of an impending cyberattack – as early as in its planning stage, and providing real-time, detailed alerts that enable the targeted suppliers to implement effective preventive measures
ACID Technologies provides water utility companies with 24/7/365 dark web monitoring services, while also continuously monitoring multiple additional sources. When detecting a threat, ACID sends real-time, actionable alerts with all available information, to enable the targeted company to effectively respond to the threat and mitigate its harmful impact on the company’s operation, whether service disruption, data theft or other.
Cybersecurity for water systems must be prioritized
Cyberattacks against water and wastewater systems are not a new phenomenon.
In October 2021, CISA (the US Cybersecurity and Infrastructure Security Agency) issued an alert based on analyses of the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Agency (CISA), the Environmental Protection Agency (EPA), and the National Security Agency (NSA), highlighting ongoing malicious cyber activity – by both known and unknown actors – targeting the information technology (IT) and operational technology (OT) networks, systems, and devices of U.S. Water and Wastewater Systems (WWS) Sector facilities. This malicious activity included attempts to compromise system integrity via unauthorized access and threatens the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities.
According to CISA, about 153,000 public drinking water systems in the USA supply more than 80% of the country’s population with potable water. More than 16,000 publicly owned wastewater treatment systems in the USA treat the sanitary sewage of about three-quarters of the population. Many of the systems are small, with limited budgets and outdated technological systems with little to no effective protection.
CISA considers the supply of water and the management of wastewater as “national critical functions” that are “so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
The US Department of Energy pointed out that systems control and data acquisition (SCADA) systems used to manage automated physical processes essential to water treatment and distribution systems have become standard in medium to large drinking water utilities and in many small water systems. The integration of more computer technologies into water systems’ routine operations increases the vulnerability of drinking water utilities to cyber threats.
In the aftermath of the cyberattack on the water system of Oldsmar in Florida (see below), former CISA director Chris Krebs admitted that “unfortunately, that water treatment facility is the rule rather than the exception.”
In April 2022 CISA director Jen Easterly, appearing before the House Appropriations subcommittee, said: “I would draw your attention in particular to water. Water entities that, frankly, are very target rich – as we saw with Oldsmar in February of 2021 – but resource poor, and so being able to provide grant money to help them raise their cybersecurity baseline, I think, is really important.”
The supply of water and the management of wastewater are “national critical functions… so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
(CISA, USA)
Harm that can be caused due to the absence of effective cybersecurity for water and wastewater systems
The US Environmental Protection Agency (EPA) identifies the serious harm that can be caused by cyberattacks on water and wastewater systems:
- Upsetting treatment and conveyance processes by opening and closing valves, overriding alarms or disabling pumps or other equipment.
- Defacing the utility’s website or compromising the email system.
- Stealing customers’ personal data or credit card information from the utility’s billing system.
- Installing malicious programs like ransomware, which can disable business enterprise or process control operations. These attacks can compromise the ability of water and wastewater utilities to provide clean and safe water to customers, erode customer confidence, and result in financial and legal liabilities.
Cyberattacks on water and wastewater systems can not only compromise the supply of cleans and safe water to users, but can also cause illness, place lives at risk, and lead to widespread panic. Furthermore, disrupting the operation of these systems can impact on other critical services, such as the provision of medical services in healthcare facilities, and firefighting.
When the attacks take place during periods of drought, they are particularly worrisome, as alternative sources of water are often unavailable.
Attacks that demonstrate the urgent need for cybersecurity for water and wastewater systems
- South Staffordshire PLC, UK: In August 2022, the water supplier was the target of a Clop ransomware attack, as reported by CPO Magazine. The attackers claimed to have accessed the company’s SCADA systems and accessed 5TB of data, but avoided encrypting its computers. South Staffordshire claimed that the attack did not prevent it from providing safe water to its customers. In their announcement, the cybercriminals misidentified their target, claiming that it was Thames Water, the largest water utility and sewage treatment facility serving Greater London and the surrounding areas.
- Oldsmar water treatment facility, Florida, USA: In February 2021, the control system of the water treatment facility serving Oldsmar, a town in Florida with a population of 15,000, was hacked. The attacker reportedly gained access through widely shared login credentials. Using an administrator’s mouse, the hacker proceeded to temporarily raise the levels of sodium hydroxide (commonly known as lye or caustic soda) which is added to the water from 100 parts per million to the highly toxic level of 11,100 parts per million. Thankfully, an operator noticed the movement of the mouse, returned the values to their normal level and alerted the authorities. Had the attack gone unnoticed, it would have endangered the health of the town’s population. An investigation revealed that this attack might have been part of a much broader one targeting the water supply system in Florida.
- Water treatment plant in San Francisco, California, USA: A hacker gained access to the water treatment plant’s systems in January 2021, using a former employees TeamViewer account credentials. They then deleted programs that are used in the treatment of the drinking water. The attack was detected the following day, at which time the programs were reinstalled and the passwords changed.
- Cambridge Water and South Staffs Water, UK: The water supplier to a population of about 1.6 million people suffered a ransomware cyberattack, which it claimed disrupted its IT systems, but did not affect its ability to safely provide water to its customers. The hacker stole data and published some of it online.
- Pumping stations and treatment facilities, Israel: In the spring and summer of 2020, cyberattacks were launched against pumping stations and wastewater treatment facilities in Israel, purportedly to change the chlorine levels in the water. The attack could have compromised the health of many thousands of citizens, and shut down their water supply. The suspected cyber criminals are an Iranian group, possibly government sponsored.
ACID provides cost-effective cybersecurity for water and wastewater systems
ACID offers an effective solution for water and wastewater systems operators: It deploys clusters of bots and implements advanced AI algorithms in order to detect the first hint of an attack in the clear, deep and dark web, as well as in multiple other sources, as early as in its initial planning phase. Once such an intent is detected, ACID alerts the target of the attack in real time and transfers all the available information to them – including screenshots of threats detected on the dark web and deep web, which they may be reluctant or incapable of accessing themselves. ACID continues to monitor the sources, using client-specific keywords in several languages, and provides updates with any additional data as it becomes available. While ACID continuously monitors a great number of sources, additional sources and keywords can easily be added upon request.
The real time alerts provided by ACID at the first sign of an attack, and the subsequent updates with additional information as it becomes available, enable the IT teams of the targeted system operator and water and wastewater treatment provider to prepare and implement countermeasures that will mitigate the impact of the attack, or possibly thwart it altogether. Water and wastewater system operators are thus supported in avoiding disruption in the supply of water and malicious activity that could endanger the health, and even lives, of their customers.
Are water utility companies considered attractive targets by cybercriminals?
Cybercriminals, and also cyberterrorists, consider all critical infrastructure, water supply infrastructure included, as targets worthy of special attention, as they are essential to the functioning of society. Disruptions to the supply of water impacts all citizens, as water is vital to life itself.
In September 2024, shortly after a cyberattack on a water treatment facility, the US Cybersecurity and Infrastructure Security Agency (CISA) stated that water systems were still at risk of attack by cybercriminals and nation-states.
What are some of the vulnerabilities of water utility companies, which facilitate the success of cyber attackers?
Relating to the attack in September 2024 on a water treatment facility in Kansas, USA, CISA referred to vulnerabilities when informing that it continues to “respond to active exploitation of internet-accessible operational technology (OT) and industrial control systems (ICS) devices, including those in the Water and Wastewater Systems (WWS) Sector.” It further added that “exposed and vulnerable OT/ICS systems may allow cyber threat actors to use default credentials, conduct brute force attacks, or use other unsophisticated methods to access these devices and cause harm.”
What are some of the recent cyber attacks targeting the water utilities industry?
- In September 2024, the City of Arkansas in Kansas, USA reported that its water treatment facility had sustained a cyber attack. In view of the importance of uninterrupted water supply and the potential implications on future cyber attack attempts against this industry in larger cities, representatives of the Federal Bureau of Investigation (FBI) and the U.S. Department of Homeland Security were sent to investigate the incident. The city issued a statement to reassure its approximately 11,000 citizens: “Out of caution, the Water Treatment Facility has switched to manual operations while the situation is being resolved. Residents can rest assured that their drinking water is safe, and the city is operating under full control during this period.” It also added it is implementing enhanced security measures, and that the attack did not compromise private data.
- Only several weeks later, in early October 2024, America’s largest regulated water and wastewater utility company, America Water, was also the target of a cyber attack. Based in New Jersey, the company manages more than 500 water and wastewater systems in 14 states: California, Georgia, Hawaii, Illinois, Indiana, Iowa, Kentucky, Maryland, Missouri, New Jersey, Pennsylvania, Tennessee, Virginia and West Virginia, and also in 18 military installations. In total, it provides services to a population of 14 million. Once the attack was detected, the company swiftly shut down some of its systems. Although American Water did not reveal the type of attack perpetrated against it, it is believed to have been a ransomware attack.
- Among the other cyber attacks that took place in 2024, are also those targeting multiple water and wastewater plants in Texas, USA, in January 2024. The hackers posted videos online in which they could be seen interacting with SCADA (supervisory control and data acquisition) systems, adjusting controls and settings at will. Once detected, operations were switched to manual control. In most of these attacks this was done before material damage was done.
These and other attacks in 2024 join previous attacks in late 2023, including one on a
water utility in Pennsylvania in late November 2023. The politically motivated attack perpetrated by pro-Iran hackers involved gaining access to industrial equipment used to manage water pressure, forcing a switch to manual operation of a pumping station.
Have the US authorities commented on these cyber attacks on water utilities?
Even before CISA’s statement that water systems were still at risk of attack by cybercriminals and nation-states, the US government voiced its concern in May 2024, ranking threats to critical infrastructure in the country as severe.
The concern arises also because cybersecurity in the water industry, which includes more than 150,000 public water systems in the USA, is unregulated; therefore, it is up to the various companies to implement best practices to protect themselves.
ACID’s solution can significantly improve water utility companies’ cybersecurity profile. In light of the critical importance of uninterrupted water supply, companies would be well advised to adopt this cost-effective solution and avoid operational disruption and potential damage to infrastructure.
ACID deploys clusters of robots and implements sophisticated algorithms to perform continuous dark web monitoring in order to detect signs of impending attacks even while still in their planning stage, attacks that are in progress, and leaked data indicating that their systems had been breached. Client-specific keywords are used, and language/s are chosen as relevant, to provide optimal results. Numerous additional sources are also monitored 24/7/365. Once a threat is detected, ACID sends real-time alerts to the targeted organization, to enable it to implement countermeasures to mitigate the effects of the attack, or perhaps foil it altogether.