Just south of the border, a water utility produces 20 million gallons of potable water daily. The water is dispersed through 1,000 kilometres of pipes for the benefit of 130,000 consumers. Vaguely aware of growing cyber security threats in the water industry, the utility invited a technology firm to perform a security audit.
From the comfort of his hotel room downtown, the “white hat” hacker performing the security audit successfully infiltrated the water network. A data logger transmitted information from a remote asset without encryption directly to the operational SCADA network. The hack took minutes and opened the door to the entire system controlling the water utility’s every action.
Shocked by the speed and ease at which the hacker gained access, this water utility decided to completely overhaul and modernize the network with an emphasis on both data communication and cyber security.
A decade ago, this interception would not have been likely. When industrial automation was first adopted by critical utilities, there was little reason to be concerned about cyber threats. Industrial automation took place offline, disconnected from the rest of the world, and “in the fence”—within the utility’s facility. Cyber warfare was uncommon, with high barriers of entry for hackers. Within a water facility, cyber threats were not probable.
Today, water utilities are attacked by hackers on a daily basis. Many of these utilities use technology developed decades ago without any concerns for cyber security. While these automation tools may provide reliable services, they are extremely ineffective against cyber attack.
Who is interested in hacking water and what are they trying to do?
Water utilities are attractive targets for any hacker. As a critical resource, hackers in control of water utilities can demand almost anything to return control of the utility. Criminal hackers, government operatives, terrorists, “hacktivists” with an agenda, or even just a bored individual with no other outlet for his or her abilities all have something to gain from hacking a water utility.
What hackers seek to do after gaining access to the water utility differs. The most common motivation is ransomware blackmail, untraceable when paid by bitcoin. Other hackers seek to deny service; by hacking into the system they can shut it down. Still others are interested in stealing sensitive data. Just think of the many credit card details for sale on the black market—water utilities contain that same sensitive data. Data manipulation, say changing the levels of chemical in the water, is another force driving cyber attacks. As is publicity. Hackers who publicly expose their control of an important system to gain fame and prestige.
The water sector is vulnerable to any of these types of cyber attacks. Water utilities pay ransomware quietly several times a week. With no reporting requirements, this cost is quietly passed down to the consumer. Cyber attacks targeting data in the water industry are more dangerous. Shutting down a water network responsible for such a critical service would result in devastating consequences. Manipulating data within the network prompts unbalanced reactions, possibly causing the utility to poison the water itself. All the more reason for water utilities to prioritize cyber security in their systems.
How do hackers gain access to the water network?
While the reasons and identities of those attacking water utilities differ, the process through which hackers gain control over a water system is the same. A hacker’s first move is to identify the weakest asset within the network to attack. Any attack depends on this initial toehold into the system. Once that opportunity is identified and targeted, the entire system is at risk. For example, if the hacker’s target is the water utility’s well-protected SCADA system, a hacker may gain access through a seemingly harmless transmission from a remote device in the field, opening an innocent looking email, or upgrading standard software.
This initial vulnerability in the system makes an entire cyber attack possible. Quietly, without raising any red flags, the hacker works his or her way through the network, encrypting the water system’s data until only the hacker has control of the water utility. This may take up to a week, depending on the size and complexity of the water network. When only the hacker has the tools to decrypt the system, ransomware can be demanded, or data manipulated.
Can utilities protect themselves by excluding technology?
If technology opens the door to potential threats and cyber attacks, why bother? Perhaps a more cautious approach is necessary? Regrettably or not, the digital transformation of water utilities is here to stay. Without technology and digital tools, there is no way water infrastructure can meet current demand, and definitely no way to provide enough water in the future.
The water industry faces numerous challenges. Aging infrastructure, growing populations, and extreme weather test the limits of water utilities daily. Automation and digitization allow water utilities to extend the lifespan and abilities of such critical infrastructure. Technology allows utilities to maximize existing resources, despite many challenges.
The water industry’s future relies on technology. Big data generated by IoT devices brings new insights to hydraulic models. Furthermore, Infrastructure 4.0 brings artificial intelligence to edge devices in water mains to attain new operational abilities and extend the lifespan of aging hard infrastructure. There is no way to avoid technology if water utilities are to meet tomorrow’s needs. However, technology must be adopted in a cyber secure manner.
Zero trust cyber security for critical utilities
Historically, water utilities only had full visibility of “in the fence” actions. In other words, whatever was happening in the water plant. Many water utilities today have a historic approach to cyber security; a “perimeter” approach focuses on security for the water treatment plant but no concerns for assets in the field.
Industrial IoT provides data from the rest of the network, the thousands of kilometres of water main pipes, dozens of pressure release valves, and storage tanks—all the components previously operating blindly. This visibility and situational awareness of the complete water network enables the quick, precise detection of leaks and monitoring water quality throughout the water network. However, this sophisticated solution is comprised of many components. Each of these components is vulnerable during a cyber attack.
The critical, initial cyber security breach could target any one of these components: sensors, meters, transmitters, servers, software platforms. Each is a potential vulnerability. Additionally, every interaction between components is a possible vulnerability. The only way to maintain security is to make sure each component is secure. A zero trust approach focuses on securing not only the central water plant, but also all the interconnected assets in the water network. After all, the water network is only as secure as its most vulnerable asset.
Cyber security for water utilities requires a double focus: secure architecture and security updates. The architecture and foundation of the network must be designed with security in mind. Additionally, all hardware and software on the network must be constantly updated to meet the latest security vulnerabilities.
Going forward
Mitigating cyber threats is a constantly evolving process. With over 50 new cyber threats reported daily, responsible water professionals must be aware of the basic security issues surrounding this critical service. Choosing the right technology that provides both functionality and security is key.
Cyber attacks could happen to anyone but are most likely to happen to the least protected. Utilities are high profile and important, making them attractive targets for hackers. Keeping up with ever-evolving cyber threats requires ongoing effort. WC
This article was written by Ariel Stern and Yair Poleg for the July/August 2021 issue of Water Canada. Stern and Poleg are co-founders of Ayyeka.
