The report, “A Review of Cybersecurity Incidents in the Water Sector”, was published in the September 2019 issue of the Journal of Environmental Engineering. I applaud the need for this report because it is very important to educate the community about cyber incidents in the water/wastewater (and other) industries so as not to keep having control system cyber incidents recurring. However, there are major issues in the report:
- The report's premise is that cyber threats are primarily network issues (whether IT or OT) and minimizes the control system devices such as process sensors, actuators, drives, power supplies, and analyzers. The report states “the lowest level generally consists of ﬁeld elements (also called end or dumb devices), such as sensors, pumps, and actuator.” However, this is a dangerous assumption as there is no cyber security or authentication at this level and these sensors may be remotely compromised – they are not as “cyber dumb” as you may think. Moreover, one of my recent blogs was on counterfeit pressure and differential pressure sensors - the ultimate Trojan horse https://www.controlglobal.com/blogs/unfettered/the-ultimate-control-system-cyber-security-nightmare-using-process-transmitters-as-trojan-horses/ . These types of sensors are used in water/wastewater applications for measuring pressure, level, and flow. If you can't trust your process measurements, you have no security, safety, or resilience.
- The network focus also explains the use of the Center for Internet Security (CIS) controls as they are IT-focused. Some of those controls are relevant to control system networks; some are not. However, there is little relevance for control system devices.
- The report states, “the reality is that many cybersecurity incidents either go undetected, and consequently unreported or are not disclosed as doing so may jeopardize the victim’s reputation, customers’ trust, and, consequently, revenue. However, there is an unwritten assumption that a cyber attack against control systems that could shut down a facility would be detectable. The Triton hack in Saudi Arabia shut down a large petrochemical plant and the plant staff didn't recognize it was a cyber attack. Consequently, they restarted the plant with the malware still in the Engineer’s Workstation. This means cyber detection that may shutdown a water/wastewater system may not be possible.
- Per the authors of this report, they did not conduct any direct investigation themselves. I did. Consequently, the report’s cases that bothered me were assuming a real case was a myth and a myth was a real case. Specifically, the Illinois Water Hack was a real case not a myth. The Illinois Fusion Center report was very clear that SCADA was remotely accessed and the system was impacted. According to the Illinois Fusion Center’s report, “Over a period of two to three months, minor glitches had been observed in remote access to the water district’s SCADA system. Recently, the SCADA system would power on and off, resulting in the burnout of a water pump…” There is no way to view this as anything but a cyber incident regardless of the Washington Post or any other reference. Consequently, this is not a "cry wolf case" but a real case that needs to be addressed for a myriad of ramifications. My blog on this event dated was dated 11/17/2011 https://www.controlglobal.com/blogs/unfettered/water-system-hack-the-system-is-broken/ but was not referenced in the report. From first-hand knowledge, there is another case where a water utility had their remote access to SCADA hacked and again the case was never adequately presented to industry. Conversely, Verizon’s Kemuri incident was not a real incident but an amalgam of incidents. Yet, it was presented as a real case in the report and continues to find its way into the public literature.
- The Bowman Avenue Dam was strictly not part of water/wastewater but flood control. My database of control system cyber incidents is now more than 1,200 with more than 75 in the water/wastewater industry. If you add hydro facilities, it is more than that. Because my focus is on control systems and physical impacts to systems/people rather than just network impacts, I have not included water industry IT ransomware cases from Lansing, Baltimore, Atlanta, and others that did not affect control systems or operational performance.
- According to the report, “the majority of targeted systems are US-based water systems which might be because: 1)they use more advanced networking technologies(integrated IT/OT architecture) and are thus more exposed to the internet; 2) they are lucrative targets for hackers with a wide variety of goals; and 3) incidents reporting and information sharing is more systematically and extensively encouraged, required, and pursued in the US (NIST 2012). There have been claims of WWS cyber-attacks in other countries, such as Ukraine (Martin 2018), but limited reliable, information is publicly available for such incidents.” Ironically the report didn’t mention Maroochy (Australia) in this section. I believe the real issue is we simply have more information on systems and incidents in the US and so the data is skewed to US systems.
My concerns with these water cases are similar to gaps in other industries such as electric, oil/gas, and manufacturing. As these industries use the same or similar equipment from the same vendors, the information sharing gap is still very wide.