The water we drink, the showers we take, and the toilets we flush – all of these everyday necessities depend on the reliable operation of our water and wastewater systems. But in an increasingly digital world, these critical systems face a growing threat: cyberattacks.
The Escalating Threat Landscape
Cyberattacks on industrial control systems (ICS) are not just the plotlines of Hollywood thrillers; they are a stark reality with potentially devastating consequences. The water sector, responsible for the continuous delivery of clean water and safe disposal of wastewater, has become a prime target for malicious actors seeking to disrupt essential services, steal sensitive data, or even cause physical harm.
Vulnerabilities in the Water Sector
Water and wastewater facilities rely heavily on computer technology, including Supervisory Control and Data Acquisition (SCADA) systems, for automated physical processes. While SCADA systems offer efficiency and convenience, they also introduce vulnerabilities that cyber threat actors can exploit.
Real-World Consequences: Incident Reports
The consequences of cyberattacks on water systems can range from operational disruptions and financial losses to compromised water quality and public health risks. Let’s explore some real-world incidents and lessons learned:
Incident #1: “Emotet and Ryuk Ransomware Attacks” in Jacksonville, North Carolina. In October 2018, the Onslow Water and Sewer Authority (ONWASA) in Jacksonville, North Carolina, experienced two consecutive cyberattacks. The first attack involved Emotet malware, which infiltrated the network through phishing emails, likely due to inadequate employee training. The second attack involved Ryuk ransomware, which encrypted files and disrupted critical computer operations. Although ONWASA managed to restore their systems from backups without paying the ransom, the recovery process was time-consuming and costly.¹
Incident #2: “Unauthorized Access and Tampering” in Ellsworth, Kansas In March 2019, a former employee of the Post Rock Rural Water District in Ellsworth, Kansas, remotely accessed the facility’s computer system using his personal cell phone. He then intentionally shut down cleaning and disinfecting procedures, potentially compromising water quality. This incident highlights the risks associated with “stale” credentials (i.e. credentials that should be disabled, but are not) and insider threats.²
Incident #3: “Ghost Ransomware Attack” on a Nevada-Based Facility. In March 2021, a Nevada-based water and wastewater facility was hit with an unknown ransomware attack that affected their SCADA system and backup systems. This attack, which was not publicly disclosed until later, underscores the vulnerability of critical infrastructure to ransomware attacks.³
Incident #4: “Hacktivist Attack” on an Aliquippa, Pennsylvania Water Authority. In November 2023, an Iranian hacktivist group, Cyber Av3ngers, gained control of a programmable logic controller (PLC) at a booster station operated by the Aliquippa Municipal Water Authority (MWA). The PLC was disabled, preventing it from automatically regulating water pressure, and an anti-Israel message was displayed on the screen. This incident demonstrates the potential for hacktivist groups to target critical infrastructure for political or ideological reasons.⁴
Protecting Our Water: A Call to Action with Summit Security Group
These examples serve as a wake-up call for the water sector. It is imperative that water and wastewater facilities take proactive steps to strengthen their cybersecurity posture and protect our most precious resource.
Summit Security Group is a trusted partner in assessing and safeguarding critical infrastructure. We have extensive experience working with the unique needs of water and wastewater facilities to strengthen their cybersecurity posture, including:
- Risk Assessments and Vulnerability Scanning: Identify and prioritize security gaps in your systems and applications.
- Penetration Testing: Simulate real-world attacks to uncover vulnerabilities and assess your defenses.
- Incident Response Planning and Training: Develop and exercise incident response plans to ensure a swift and effective response to cyberattacks.
- Security Awareness Training: Educate your employees on cybersecurity best practices and empower them to act as the first line of defense.
- Compliance Support: Navigate complex regulatory requirements and ensure compliance with industry standards.
Contact Summit Security Group today to learn how we can help you protect your water infrastructure and ensure the continued delivery of safe and reliable water services to your community.
Incident Sources:
¹https://cyberscoop.com/ransomware-hits-onwasa-computer-network-north-carolina-water-utility/#:~:text=Jacksonville%2C%20North%20Carolina%2Dbased%20Onslow,and%20fulfilling%20service%20orders%20manually
²https://www.waterisac.org/portal/updated-october-21-2021-insider-threat-%E2%80%93-former-employee-indicted-unauthorized-computer
³https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-287a
⁴https://www.cbsnews.com/pittsburgh/news/municipal-water-authority-of-aliquippa-cyberattack-u-s-department-of-homeland-security/
