A Review of Cybersecurity Incidents in the Water Sector – a good start but with technical issues

The report, “A Review of Cybersecurity Incidents in the Water Sector”, was published in the September 2019 issue of the Journal of Environmental Engineering. I applaud the need for this report because it is very important to educate the community about cyber incidents in the water/wastewater (and other) industries so as not to keep having control system cyber incidents recurring. However, there are major issues in the report:

-  The report's premise is that cyber threats are primarily network issues (whether IT or OT) and minimizes the control system devices such as process sensors, actuators, drives, power supplies, and analyzers. The report states “the lowest level generally consists of field elements (also called end or dumb devices), such as sensors, pumps, and actuator.” However, this is a dangerous assumption as there is no cyber security or authentication at this level and these sensors may be remotely compromised – they are not as “cyber dumb” as you may think. Moreover, one of my recent blogs was on counterfeit pressure and differential pressure sensors - the ultimate Trojan horse https://www.controlglobal.com/blogs/unfettered/the-ultimate-control-system-cyber-security-nightmare-using-process-transmitters-as-trojan-horses/ . These types of sensors are used in water/wastewater applications for measuring pressure, level, and flow. If you can't trust your process measurements, you have no security, safety, or resilience.

- The network focus also explains the use of the Center for Internet Security (CIS) controls as they are IT-focused. Some of those controls are relevant to control system networks; some are not.  However, there is little relevance for control system devices.

- The report states, “the reality is that many cybersecurity incidents either go undetected, and consequently unreported or are not disclosed as doing so may jeopardize the victim’s reputation, customers’ trust, and, consequently, revenue. However, there is an unwritten assumption that a cyber attack against control systems that could shut down a facility would be detectable. The Triton hack in Saudi Arabia shut down a large petrochemical plant and the plant staff didn't recognize it was a cyber attack. Consequently, they restarted the plant with the malware still in the Engineer’s Workstation. This means cyber detection that may shutdown a water/wastewater system may not be possible.

- Per the authors of this report, they did not conduct any direct investigation themselves. I did. Consequently, the report’s cases that bothered me were assuming a real case was a myth and a myth was a real case.  Specifically, the Illinois Water Hack was a real case not a myth. The Illinois Fusion Center report was very clear that SCADA was remotely accessed and the system was impacted. According to the Illinois Fusion Center’s report, “Over a period of two to three months, minor glitches had been observed in remote access to the water district’s SCADA system. Recently, the SCADA system would power on and off, resulting in the burnout of a water pump…” There is no way to view this as anything but a cyber incident regardless of the Washington Post or any other reference. Consequently, this is not a "cry wolf case" but a real case that needs to be addressed for a myriad of ramifications. My blog on this event dated was dated 11/17/2011 https://www.controlglobal.com/blogs/unfettered/water-system-hack-the-system-is-broken/ but was not referenced in the report. From first-hand knowledge, there is another case where a water utility had their remote access to SCADA hacked and again the case was never adequately presented to industry. Conversely, Verizon’s Kemuri incident was not a real incident but an amalgam of incidents. Yet, it was presented as a real case in the report and continues to find its way into the public literature.

- The Bowman Avenue Dam was strictly not part of water/wastewater but flood control. My database of control system cyber incidents is now more than 1,200 with more than 75 in the water/wastewater industry. If you add hydro facilities, it is more than that. Because my focus is on control systems and physical impacts to systems/people rather than just network impacts, I have not included water industry IT ransomware cases from Lansing, Baltimore, Atlanta, and others that did not affect control systems or operational performance.

- According to the report, “the majority of targeted systems are US-based water systems which might be because: 1)they use more advanced networking technologies(integrated IT/OT architecture) and are thus more exposed to the internet; 2) they are lucrative targets for hackers with a wide variety of goals; and 3) incidents reporting and information sharing is more systematically and extensively encouraged, required, and pursued in the US (NIST 2012). There have been claims of WWS cyber-attacks in other countries, such as Ukraine (Martin 2018), but limited reliable, information is publicly available for such incidents.” Ironically the report didn’t mention Maroochy (Australia) in this section. I believe the real issue is we simply have more information on systems and incidents in the US and so the data is skewed to US systems.

 My concerns with these water cases are similar to gaps in other industries such as electric, oil/gas, and manufacturing. As these industries use the same or similar equipment from the same vendors, the information sharing gap is still very wide.

Joe Weiss

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

  • Thanks a lot for your interest in our work and for stimulating the discussion. As one of the authors of the review paper, I am adding here my answers to the issues you raised, hoping they can clarify things for the readers of your (interesting) blog. 1. It is true that edge devices can also be attacked. Indeed, I co-authored several papers that explicitly consider this problem. I also developed a software toolbox that, among other things, allows you to simulate attacks on edge devices, such as manipulation of sensor readings. This work has been cited in our review paper (see for instance https://ascelibrary.org/doi/10.1061/%28ASCE%29WR.1943-5452.0000749). That said, all the incidents we reviewed did not feature any direct attack on edge devices like the one you mentioned, and that is why we put the emphasis on network attacks instead. 2. At the end of the subsection on “Defense models” we explain the similarities between IT and OT security controls and suggest how we can categorize OT controls in standard IT CIS. Our focus is not to propose a new CIS category for OT. 3. There is no unwritten assumption regarding attack detection. Indeed, we specifically wrote “that many attacks go undetected”. 4. We do cite a piece on Wired from Zetter (2011) which was published 1 day after your blog post (November 18) and that features an interview you had with them. We did not find any reputable source that claimed that the Illinois incident was real after it had been identified as a false alarm. Similarly, we did not find any source claiming that the Kemuri incident was a myth. Did we miss something important released by independent and reputable sources on these matters? 5. Flood control infrastructure, like the Bowman Avenue Dam, is still water infrastructure. Therefore, this cannot be considered a major issue. 6. Most of our reported incidents (with reputable sources confirming it) happened in the US. Again, this cannot be considered a major issue since we were talking about the majority of the reported incidents (not all). The readers can easily figure this out since we discuss extensively about Maroochy.

    Reply

RSS feed for comments on this page | RSS feed for all comments