Attempted cyberattack highlights vulnerability of global water infrastructure

In late April, Israel’s National Cyber Directorate received reports about an attempted “major” cyberattack on its water infrastructure. According to a statement issued by the directorate, the attack consisted of “assault attempts on control and control systems of wastewater treatment plants, pumping stations and sewers.”

The directorate called on water companies to change their internet passwords, make sure their control system software is updated, and undertake other cyber hygiene measures to tighten security. The attempted attacks were unsuccessful, according to the directorate, and appeared to be coordinated. Of concern was the level of chlorine in the water supply. The directorate asked water companies look for any disruptions, particularly regarding chlorine use in the water supply.

The geopolitical nature of the attack points to actors who favor an independent Palestinian state. “It’s more likely a state actor that would be supporting them, such as the Iranians who have built quite a cyber force,” says Matt Lampe, who most recently served as CIO for Los Angeles Water and Power and is now a partner in critical infrastructure cybersecurity advisory firm Fortium Partners.

Whoever the attackers are, the timing could not have been worse, taking place as the globe grappled with the worst period of the COVID-19 crisis. “I think it’s really unfortunate to see that there are still really bad actors out there trying to infiltrate critical infrastructure even in the face of the pandemic,” says Maria Bocanegra, commissioner at the Illinois Commerce Commission and vice chair of the water committee at the National Association of Regulatory Utility Commissioners.

Water facility attacks low profile, high impact

Although cyberattacks on the electric grid grab the lion’s share of attention, attacks on water facilities typically generate little press coverage or public focus, making the directorate’s public statement of an attack something of an anomaly. The lower profile of water companies when it comes to cybersecurity is surprising given the far more significant damage a water supply attack could pose.

“Water has always been the one industry that is least resourced and the most capable of causing impact to life and safety,” Lesley Carhart, principal threat analyst at industrial cybersecurity company Dragos, tells CSO. “This is something I have been expecting to happen for a long time. The first cyber incident directed at a critical infrastructure facility was not Stuxnet. It was a sewage treatment plant that was attacked,” she says, referring to the 2000 Maroochy Shire malicious control system cyberattack in Queensland Australia.

In that incident, a SCADA contractor for the Maroochy Shire Council applied for a job with the council, which runs the water system. After failing to land the position, the contractor packed his car with stolen radio equipment and, using a possibly stolen computer, issued radio commands to the sewage equipment in the treatment plant. This unauthorized intrusion caused 800,000 liters of raw sewage to spill out into local parks and rivers and the grounds of a Hyatt Regency hotel.

In the most recent Israeli incident, however, the apparent goal was not to dump anything but to raise the level of chlorine in the water supply. “One of the major industrial control systems [ICS] that are involved in water treatment are those systems that put the correct level of chemicals in the water supply that is then distributed,” Carhart says. “Having the wrong levels of chlorine in your water is a very unfortunate situation.”

Lampe thinks the attempted attack in Israel must have been undertaken by a very sophisticated threat actor, most likely a nation-state. “That kind of attack has to be very specifically tailored to very specific control systems to be disguised,” he tells CSO.

ICS attacks require knowledge and planning

Carhart stresses that ICS cyberattacks require a lot of knowledge and planning. “Industrial control system attacks take a long time to launch because adversaries have to know a lot about the systems,” she says. “Industrial control systems aren’t just digital; they’re also analog and mechanical. Usually, you have all different kinds of combinations of those things in your industrial environment as well as having your digital PLCs [programmable logic controllers] that are programmed to do things, as well as your PCS [personal communication systems] and SCADA [supervisory control and data acquisition] systems. If you’re a bad person who wants to do something to an industrial process, you have to understand all those things. You can’t just go after the digital system.”

“My sense is that what they were trying to do is manipulate the chlorine levels and at the same time send operators a signal that the chlorine levels were fine,” Lampe says, which would put the attempted attack, conceptually at least, on the level of Stuxnet. “If you think about something like the Stuxnet attack, where basically the whole attack was targeted around the control system for those centrifuges, and a lot of what they did was disguise what the operators were seeing.”

Assuming something like this happened, this would mean the Israeli authorities are warning water utilities to check their chlorine levels because those utilities’ instruments could incorrectly indicate that the chlorine levels are acceptable, when in reality a cyberattack on the system might have caused excessive chlorine to be introduced into the water supply. “The behavior of the system and what was being reported were two different things [in Stuxnet],” says Lampe. “What I would sense is that this was the type of attack being done [in Israel], and that would entail knowing a lot of detail about the control systems themselves.”

“One of the things our cybersecurity office is always mindful of, and we try to impart to our water utilities in this context, is being careful not to place too big an emphasis or undue levels of trust in our digital systems and really having procedures in place in physically confirming the status of our systems,” Bocanegra tells CSO. “Water is the one utility that you actually ingest. It’s that important. You cannot live without water.”

Water utilities under-resourced for cybersecurity

Water utilities around the world, but particularly in the US, which has an estimated 70,000 water utilities, are vulnerable to attacks because they are usually small and have almost no cybersecurity expertise among staff members. “The people that work [at water facilities] are very much concerned about cybersecurity threats,” Carhart says, but “it’s usually just one or two IT people at those facilities.” They care a lot about cybersecurity. They’re engaged, they ask questions, they understand where the vulnerabilities are, but in a large number of municipalities, they are not being given adequate resources to do cybersecurity well.”

Because of this, and because so few water utilities have the tools to detect an attack in the first place, they’re attractive targets for well-financed threat actors who are looking to test new methods. “What we often see is adversaries using small utilities and local utilities as proving grounds. These more well-resourced adversaries have found that it’s more effective to go after mom and pop utilities,” Carhart said.

No cybersecurity requirements for water utilities

Unlike the electric industry, the water industry faces no regulatory requirements when it comes to cybersecurity, although there is a Water Information Sharing and Analysis Center (WaterISAC) that serves as an all-threats security information source for the water and wastewater sector. However, the guidelines issued by the WaterISAC are voluntary, and many water companies lack the resources to implement them.

Bocanegra points to pending congressional legislation, the Safe Communities Act of 2020, as at least a partial solution. That bill aims to strengthen critical infrastructure security across all utility sectors against acts of terrorism and other homeland security threats. It calls for a clearinghouse of security guidance, best practices, and other voluntary content developed by the Cybersecurity and Infrastructure Security Agency (CISA).

Creating more comprehensive security regulation for the industry will be a challenge, however. “I remember a few years ago sitting down and talking with DHS, and unlike the bulk power system, with all the NERC CIP, there were only some fairly basic guidelines for water utilities with no enforcement,” Lampe says. “I asked them, ‘When are you going to tackle that?’ They basically said, ‘We’re not quite sure how to tackle it because so many water districts are so localized, so small, they have a couple of people, that there’s just no way they are going to do something.’”