Holding Water

Our freshwater supply is obviously considered critical infrastructure. How long can modern societies exist without this most basic commodity?

Before it gets to our taps, water is collected, stored, processed, and distributed with considerable effort and expense from both the Information Technology (IT) side as well as the Operational Technology (OT) side. The former deals primarily with customers and billing while the latter is concerned with sanitizing and moving the actual life-sustaining product.  

Cyberattacks on water supply systems have become an unfortunate, but growing, trend in recent years. The high level of risk associated with the sector, both in terms of the important data it processes as well as the vital product it delivers, demonstrates how woefully under-protected our vital water supplies really are. 

Two Recent Examples

A 2023 attack on a US waterworks facility in Pennsylvania affected 6,000 households. Hackers affiliated with Iran’s Islamic Revolutionary Guard Corps penetrated programmable logic controllers — industrial computers that control heavy machines used in factories and public utilities. A similar attack on the water supply in Erris, a remote area on Ireland’s west coast, left 8000 consumers without water for two days.

Veolia and Southern Water: Welcome to the Club

Veolia North America serves more than 200 communities across America, operating as both a regulated utility and a contract operator of water and wastewater systems.

Just last month, Veolia’s Municipal Water Division announced that it was hit by a ransomware attack that affected software applications and systems. The company added that personal information was impacted.

In response to the incident, Veolia took certain back-end systems and servers offline until they could be cleaned and restored. This led to disruptions to its online bill payment systems, temporarily affecting customers’ ability to pay water bills.

Southern Water, a provider of water and wastewater services for Kent, Sussex, Hampshire, and the Isle of Wight, in the UK, faced a similar threat, as cybercriminals proclaimed a successful data confiscation from their IT systems. Water supply was temporarily disrupted. 

Implications for OT Security
While some attacks directly target the OT side of the business, even those that start on IT systems can soon make their way to the OT side. 

IT and OT networks are no longer “air-gapped” as they used to be. The increasing use of internet-facing assets on the OT side, as well as the sharing of information between IT and OT for improved efficiency, have caused these networks to converge, presenting a growing attack surface to nation-state actors as well as hacker syndicates. As soon as attackers exploit a vulnerability to gain a foothold anywhere in any company network, they can quickly compromise production systems.

Some attackers are interested in financial rewards, but others have political motivations. What better way to damage your enemy than to disrupt their water supply?

Wake Up!

Recent cyber incidents targeting water systems must serve as a wake-up call for paying attention to safeguarding essential infrastructure. While the immediate response to an incident will be concerned with the recovery of data and re-establishment of vital services, long-term cyber resilience requires a holistic approach that integrates OT-specific security measures with broader cybersecurity strategies. 

There is no time to lose!

We recommend implementation of network segmentation and access controls, as well as deployment of monitoring and threat detection solutions. Collaboration between IT and OT teams, along with adherence to industry best practices and regulatory guidelines, are essential for mitigating risks and protecting against inevitable future attacks on OT environments.