Since the turn of the century, water supply and treatment facilities from Israel to the US have endured an increasing number of cyber attacks. Some of these attacks have been more successful than others, but the targeted utilities tend to have one thing in common: a lack of investment in cyber security.
But it is not ease of access alone that motivates the threat actors, and now it seems their attention is finally shifting towards the UK. Why now? And what could a hacker possibly hope to achieve? The answer to those questions requires a brief history lesson, from which some common themes and patterns will emerge.
The first wave: 2000 – 2019
2000: Malodorous in Maroochy
Vitek Boden, a technical contractor at Australia’s Maroochy sewage treatment plant, gained unauthorised access to the plant’s systems and discharged wastewater into the seabed, canals, and the grounds of a local hotel – harming wildlife and releasing a stench into the air. The plant had just rejected Boden’s application for full-time employment.
Investigators found Boden had made at least 46 undetected and failed attempts to breach the plant's Supervisory Control and Data Acquisition (SCADA) system before eventually succeeding.
SCADA is comprehensive system of software and hardware, widely used around the world to exercise control over a range of industrial processes.
2007: California’s canal calamity
The day that Michael Keehn was fired from his role as an electrical supervisor at the Tehama Colusa Canal Authority, he installed unauthorised software on the Authority’s SCADA system. The authority used SCADA to control the diversion of water from the Sacramento River to local farms.
2013: The tip of an iceberg appears in New York
As its name suggests, the Bowman Avenue Dam in suburban Westchester, New York is a modest structure. It’s an unlikely place for an international incident, but in 2016 an Iranian group of hacktivists took ‘credit’ for a 2013 cyber attack on it.
Although the group, SOBH Cyber Jihad, didn’t take control of the dam, it did manage to infiltrate one of its systems. Sen. Chuck Schumer told reporters, “There are larger dams, there are public utilities, there are nuclear power plants. We don't know how many attacks like this have been attempted. Is it just the tip of the iceberg?”
2016: Malice in Michigan
Ransomware attackers hit the Lansing Board of Water & Light (BWL) after an employee opened a malicious email attachment. The attack, thought to be by a nation-state backed group, made some of the city-owned utility’s operations unavailable, including phone lines and customer service. BWL reportedly paid a US$25,000 ransom to get back to normal, and according to the city’s financial records spent US$2m on security upgrades in the wake of the attack.
2018: Jacksonville’s double jeopardy
The Onslow Water and Sewer Authority (ONWASA), in Jacksonville, North Carolina, was still struggling to recover from devastating flooding after Hurricane Florence when it fell victim to a ransomware incident in October 2018. ONWASA was initially compromised by Emotet, the well-known trojan, before Ryuk ransomware was deployed in the early hours of the morning. Reporting at the time linked the attack to nation-state backed hacktivists.
ONWASA responded by partially shutting down its IT infrastructure. Although its water and sewage systems remained unaffected, numerous databases and crucial components were encrypted and ONWASA endured significant operational disruptions for several weeks.
Rather than pay ransoms, ONWASA elected to rebuild its databases and computer systems from scratch.
2019: Wyatt the Wichita Wildman
Two months after leaving his job at the Post Rock Rural Water District in Ellsworth, Kansas, 22-year-old Wyatt Travnichek remotely accessed his former employer’s control system (which, for some reason, he could still do using his old credentials) and shut down the water supply to around 1,500 customers.
His motives will forever remain a mystery. The prosecutor told the judge that Travnichek was so intoxicated at the time that “he didn’t remember anything.”
The deluge: 2020 – present
2020: Israel feels the heat
Water is a precious commodity everywhere, but especially in countries prone to drought or with little access to sources of fresh water. Throw geopolitics into the mix, and attacks on water supply and treatment plants quickly become sinister, rather than merely inconvenient and expensive.
In April 2020, adversaries believed to be linked to the Iranian government allegedly targeted multiple pumping stations and wastewater treatment plants in Israel. Their aim was to raise chlorine levels in certain water supply systems. To prevent any additional breaches, the authorities directed all water and energy facilities nationwide to update passwords for their SCADA systems. Even so, in June there were further attacks on water suppliers in Israel, also designed to elevate the chlorine content of drinking water to dangerous levels.
At the end of 2020, a group of Iranian threat actors exposed a flaw in the control system of an Israeli reservoir. According to the group, its human-machine interface (HMI) could be accessed online without any authentication required.
2021: A password shared is a network breached
In retrospect, the February 2021 breach of Oldsmar, Florida’s wastewater treatment facility, seemed inevitable. Investigators were shocked by just how easy it was for the intruder to access its network.
It’s believed the attacker (or attackers) used two points of entry. The first was the TeamViewer software installed on the computers used by everyone at the plant, and which were all connected to the plant’s control system. The plant’s employees were all using the same password to access TeamViewer. The investigators also noted that the plant’s computers were directly connected to the internet without any firewall protection in place.
The second point of entry was the exploited flaws in a Windows 7 operating system.
This intrusion would have allowed the threat actors to make the town’s drinking water extremely toxic by increasing the level of sodium hydroxide in it. Fortunately, the situation was quickly brought under control and crisis was averted.
Attackers also used the TeamViewer credentials of former employees to attack a water treatment facility in the San Francisco Bay area. They then deleted computer programs required to treat drinking water.
In both the Oldsmar and San Francisco attacks, it seems the TeamViewer credentials were purchased on the dark web.
2022 – present: Some anarchy in the UK
England’s South Staffordshire Water issued an apology in 2022 following a data breach in which hackers stole its customers’ personal information.
And in January 2024, Southern Water, a provider for 4.6 million customers in the south of England, reported that the Black Basta ransomware group had breached its systems and put a “restricted quantity” of information on the dark web.
The breaches prompted the credit rating agency Moody’s to warn that, while UK suppliers wait for approval from their regulator to increase investment in digital security, the industry’s vulnerability is growing.
Why water, and why now?
Water is an essential need, and there has been infrastructure around it ever since people started living in settlements. This means that, even in very wealthy countries, most water treatment plants are likely to be decades old and poorly maintained thanks to the huge investment required to modernise them. Legacy systems abound and, over time, industry standard practices and systems have been widely adopted (e.g. the ubiquitous use of SCADA).
Ironically, as they adopt greater digital capabilities to improve their performance, these plants become more vulnerable to a wider variety of cyber attacks.
The other point our case studies highlight is that, until fairly recently, most of the calls were coming from inside the house. Compromised treatment facilities didn’t have to look much further than disgruntled (or inebriated) current and former personnel, or beyond careless IT practices like sharing passwords and clicking on links in phishing emails.
While these hazards will never go away, it is the rising number of threat actors with complex aims and motivations behind the current flood of attacks.
This increase is partly due to the emergence of Ransomware-as-a-Service (RaaS) outfits. Even novice ‘hackers’ can launch a ransomware attack with a sophisticated program bought for a relatively modest sum. And these novices will, naturally, be attracted to large targets with notoriously poor cyber security – like water treatment and distribution facilities.
AI is also making the job of cyber criminals much easier, now that convincing scam emails and phone calls can be created in minutes.
The fear factor
The financial motivations of a ransomware attacker are obvious. But darker forces are also at work.
State-backed threat actors can use water supplies to hold entire populations as hostages to fear, even if they stop short of poisoning the drinking water. Cutting off water to hospitals and care homes, for example, could do just as much harm.
The implications for the cyber security of large infrastructure entities across all sectors are sobering. Think, for example, of the £50bn geological disposal facility (GDF) initiative to construct an extensive underground nuclear waste facility and the Sellafield nuclear site in Cumbria, or of the Russian-backed military hackers who momentarily brought down parts of Ukraine’s electrical grid in the winters of 2015 and 2016.
In fact, Radioactive Waste Management – the company behind the GDF project – revealed in January 2024 that it had foiled hackers who tried to breach it via a LinkedIn social engineering attack.
Combatting cyber threats
- Define privileged access programs: Access to privileged and critical systems should be controlled, monitored and managed – particularly considering integrations with off-boarding and on-boarding processes.
- Create proactive and comprehensive strategies: Following industry standards and best practices is vital, and it is imperative that data is encrypted during transmission and storage.
- Assess and review: Conduct routine vulnerability assessments and review cyber security measures regularly to ensure that strategies and processes can address new and emerging threats.
- Move with the times: Staying ahead of threats requires investment in both people and tech – bear in mind that advanced solutions like AI can be used for defence as well as offense.
- Bring expertise on-site: Any company reliant on automation and digital tools needs to have dedicated security personnel who can establish and maintain good cyber hygiene and provide rapid response when threats emerge.
- Collaborate and develop: Promote a culture of continuous improvement through training for all personnel. Encourage IT security teams to work with external cyber security professionals, who can offer valuable perspectives and innovative solutions. Tabletop exercises, penetration testing, and threat intelligence monitoring are just three ways in which internal security teams can benefit from collaborating with other specialists.
Cyber Risk
We bring the best of our collective experience, energy and creative power to fiercely safeguard our clients and fortify their communities.
Insights
Thomas Murray launches OrbitAI
Thomas Murray, a global leader in risk management, due diligence, and cyber security services, is proud to announce the launch of OrbitAI. This…
Thomas Murray launches Cyber Risk practice with key strategic hire
Leading global risk intelligence firm Thomas Murray has announced the launch of its Cyber Risk advisory practice today with the key strategic…
We safeguard clients and their communities
Petroleum Development Oman Pension Fund
“Thomas Murray has been a very valuable partner in the selection process of our new custodian for Petroleum Development Oman Pension Fund.”
ATHEX
"Thomas Murray now plays a key role in helping us to detect and remediate issues in our security posture, and to quantify ATHEX's security performance to our directors and customers."
Northern Trust
“Thomas Murray provides Northern Trust with a range of RFP products, services and technology, delivering an efficient and cost-effective solution that frees our network managers up to focus on higher Value activities.”