Twenty years of cyber attacks on the world of water

Water industry: a look back at twenty years of cyber attacks | Stormshield

As a critical sector, water has had to contend with cyber threats for the past twenty years. A weapon of destabilisation between countries, public health... Cyber criminals have a thousand reasons for wanting to attack water. And not all countries seem to be equal when it comes to the rise of this criminal trend, in a context of revenge of former employees or geopolitical issues. However, one thing is certain: damaging the information systems of these infrastructures can have dramatic, wide-reaching consequences. A look back at the major attacks of recent years.

 

#1 – A wastewater treatment plant in the Shire of Maroochy, Australia in 2000

During March and April 2000, a former technical contractor of the Maroochy sewage treatment plant in Australia took control of the plant’s systems for malicious purposes. After his application for employment was rejected, he allegedly hijacked the activity of several pumps by sending spurious commands. One of the pumps then stopped working, causing wastewater to be discharged into the seabed, poisoning local flora and fauna, and creating foul odours in the surrounding area... Before succeeding, the individual is thought to have carried out no fewer than 46 attempts to hack the factory’s information systems, without ever being detected. An attack that highlights the vulnerability of the world of water to cyber threats.

 

#2 – A canal system in California (USA) in 2007

In the summer of 2007, a former employee of a small California canal system (Tehama Colusa Canal Authority in Willows) was charged with installing unauthorised software on a computer used to divert water from the Sacramento River for irrigation purposes. An installation that damaged the computer, part of the SCADA system. This former supervisor, who was responsible for the company’s IT systems, still had on-site access rights.

 

#3 – A drinking water plant in Georgia (USA) in 2013

In April 2013, the drinking water facility of a small town in North Georgia was subjected to a physical attack. No doors or windows were broken into, the attackers are thought to have got into the station over the barbed wire before gaining access to the monitoring system. They then changed the fluorine and chlorine settings, leading the management company to advise the 400 residents not to use the tap water for a few days.

When asked about the potential perpetrators, the station’s General Manager said that the employees’ vehicles were tracked and none of them were near the station at the time of the attack. He then added that former employees could still have keys or passes they did not know about...

 

#4 – A public provider in Michigan (USA) in 2016

In the state of Michigan, the Lansing Board of Water & Light (BWL) fell victim to a ransomware attack. An employee allegedly clicked on a malicious email attachment. The attack did not affect the water and electricity distribution systems, but the ransomware made some of BWL’s operations unavailable, including phone lines and customer service.

The directors then chose to pay the $25,000 ransom demanded by the cyber criminals in order to resume normal business operations. Don’t try this at home.

 

#5 – A distribution company in North Carolina (USA) in 2018

In early October 2018, the Onslow Water and Sewer Authority (ONWASA), located in Jacksonville, North Carolina, was hacked twice. On 3 October, the Emotet ransomware was reported to have spread through the company’s information systems, followed by the Ryuk ransomware around ten days later. The company, which supplies water to no fewer than 150,000 homes, was forced to shut down part of its IT infrastructure to limit the spread of malware. The double attack would not have disrupted the operation of the water and wastewater systems, but many of ONWASA’s databases and key elements would have been encrypted.

The company was therefore forced to slow down its activity for several weeks and rebuild some of its information systems.

 

#6 – A distribution company in Kansas (USA) in 2019

In March 2019, the public water utility in Ellsworth County, Kansas, was the target of malicious action by a former employee. The perpetrator allegedly took control of the company’s information systems remotely to alter the treatment of drinking water intended for the population.

The former employee had previously worked on the factory’s monitoring systems and his access had not been revoked when he left the company.

 

#7 – Pumping stations and treatment facilities in Israel in 2020

Our list now takes us to the Middle East, Israel to be precise. In April 2020, cyber criminals suspected of being affiliated with the Iranian regime reportedly attacked several pumping stations and wastewater treatment facilities and attempted to increase the level of chlorine in some of the water supply systems that supply part of the Israeli population. The government is reported to have quickly countered, prompting all the water and energy infrastructures in the country to change the passwords to all their SCADA systems, to guard against any further intrusions.

 

#8 – Water pumps in Israel in 2020

In June of the same year, the Israeli authorities reported that agricultural water pumps in the Galilee region were also attacked, as well as a water supply system in the province of Mateh Yehuda. Details of the attack were not released, but it is believed that, once again, the cyber criminals attempted to alter the quality of the water by changing the chlorine levels.

 

#9 – A recycled water reservoir in Israel in 2020

Annus horribilis in Israel. In early December 2020, a flaw in the control system of a recycled water reservoir was reportedly revealed by a group of Iranian attackers. According to the cyber criminals, the HMI (Human Machine Interface) system could be accessed from the Internet without any authentication required, allowing any malicious individual to take control of certain parameters such as the temperature or pressure of the water.

 

#10 – Two wastewater treatment plants in San Francisco and Florida (USA) in 2021

Back to the United States, to the San Francisco Bay area of California. In January 2021, an attacker reportedly took control of a local water treatment facility and deleted computer programs involved in the treatment of drinking water. The attack is still being analysed by the US authorities but initial indications are that the cyber criminal hacked into the plant’s systems using the credentials of former employees, which were used to connect to the TeamViewer remote control software.

The following month, in February 2021, the town of Oldsmar, Florida, narrowly avoided a health disaster. Cyber criminals allegedly took control of the city’s wastewater treatment facility, whose computer systems were poorly protected. According to the first elements of the investigation, two points of entry are thought to have allowed the attack: the attackers reportedly collected TeamViewer login credentials shared by several employees, and then exploited flaws present within a Windows 7 operating system. This intrusion would have allowed the cyber criminals to significantly increase the level of sodium hydroxide making the drinking water extremely toxic. Luckily, facility staff were able to quickly get the situation under control and save some 15,000 Oldsmar residents from being poisoned.

 

#11 – Water treatment infrastructure in Norway in 2021

Volue, a Norwegian company that equips several water treatment facilities with applications and software, is said to have fallen victim to the Ryuk ransomware. The events reportedly occurred in early May 2021 and the ransomware spread to the information systems of 200 public water suppliers in the country, Volue’s customers. Several customer front-end platforms were reportedly impacted and the company quickly put in place means to isolate and then restore the infected systems, thereby limiting the impact on its customers. Volue says that as things stand, 70% of its customers would have been unaffected by the attack or would now be out of range. However, the full details of this cyber attack are not yet known and the investigation is ongoing.

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
Despite this growing list, there is little media coverage of attempted cyber attacks on dams, irrigation systems or water treatment plants. But these attacks do exist, and they are becomingly increasingly strategic. How do things stand with cybersecurity in water networks worldwide?
With a long list of industry protocols (including SOFBUS and LACBUS) supported by Stateful DPI in network traffic, our SNi20 industrial firewall is one of the most effective solutions for ensuring the cybersecurity of your water networks.

About the author

mm
Khobeib Ben Boubaker
Head of Industrial Security Business Line, Stormshield

A graduate of CESI engineering school and holder of an ESCP Europe MBA, Khobeib began his career at Alcatel Lucent in the Submarine Network entity. His first love was the design of fibre optic systems for intercommunication between countries and operators. R&D engineer, international trainer, business engineer, then Business Unit Director: Khobeib wore many technical and business hats for a decade before coming to Stormshield. And following an initial post as Business Developer for the industrial security offering, he is now at Head of Industrial Security Business Line to support the company's strategic ambitions for IT/OT cybersecurity.