Why Even Our Water Supply Is Not Safe From Hackers

There’s been a lot of attention lately on the U.S. “mother of all bombs,” Russia’s “father” counterpart—and North Korea’s nukes—but there’s another WMD lurking that we all need to be afraid of. Very afraid.

It’s cyberattacks, and not the ones that steal your personal info to go on a J.Crew shopping spree. The new warfare is taking place on the industrial internet, with hackers targeting the tech that controls everything from automated manufacturing to the power grid. And as one attack showed last year: Even our drinking water is in the crosshairs.

In early 2016, it was revealed that the control system of a massive water utility serving millions was hacked—and it was not just a garden-variety data breach. Verizon Security Systems reported that attackers had tampered with computers that manage water chemicals that make H2O safe to drink.

The location of the plant was not made public but it turned out there was a common theme that comes up time and again in these breaches: The utilities cybersecurity protocols were a decade out of date.

“Weapons of mass destruction don’t have to be physical bombs that move from one location to another—they can be these ticking bombs in these control systems that …cause severe damage and bring down the critical infrastructure of a country.” says Eddie Habibi, founder and CEO of the Houston-based ICS security firm PAS.

The need for increased industrial cyber safety extends far beyond water plants (there are more than 150,000 public water utilities in the U.S. alone). Around the same time the Verizon report came out, New York federal prosecutors charged seven Iranian hackers with  hacking dozens of finance firms and gaining digital access to a dam in suburban Westchester County. If the dam hadn’t been undergoing maintenance, the hackers would have been able to manipulate a sluice gate used to protect nearby properties from flooding, prosecutors said.

“The infiltration of the Bowman Avenue dam represents a frightening new frontier in cybercrime,” said Preet Bharara, Manhattan’s then chief federal prosecutor.

State-sponsored hackers have also had success remotely tampering with industrial equipment abroad—Stuxnet, the specialized malware believed to be deployed by U.S. and Israeli intelligence, famously sabotaged control systems used by Iran’s nuclear program, and Russian hackers are believed to be behind attacks on electric  power plants in the Ukraine.

The other sector that is playing catch-up in securing its digital controls is manufacturing, where saboteurs can cause millions of dollars of damage to factory equipment and disrupt supply chains.

Because private customer data is generally not in play with industrial controls, there has been less publicity and less public and legal pressure to avoid digital breaches.

“Manufacturers haven’t had those regulatory pressures that other industries have had—even health care has had higher pressures, because of things like HIPAA and HITECH,” says Sean Peasley, a partner  in Deloitte’s cyber risk services practice, referring to federal health information privacy laws. “Manufacturers are a little bit behind in terms of their capabilities and their maturities.”

That gap is creating opportunities for software vendors and security consultants with experience in both industrial computing and digital security.

IBM Security reports that its clients in manufacturing experience 62% more attacks than average clients, and a number of high-profile hacks have made the news. A German steel mill reportedly sustained “massive damage” in an attack reported in 2014, after hackers tampered with blast furnace controls.

“Overall, financial services is one of the most heavily attacked, but manufacturing is certainly in the top five,” says IBM’s Diana Kelley, an executive security advisor.

Among the challenges is servicing the often esoteric software used to command equipment in facilities like power plants and factories. A report released last year by Deloitte and the Manufacturers Alliance for Productivity and Innovation found that nearly a third of manufacturers hadn’t conducted cyber risk assessments. The systems can end up falling into a security no-man’s-land, with neither corporate IT departments nor factory managers guarding the store.

And if industrial systems are connected to office computers, hackers and malware can jump from one network to the other, using vulnerabilities on one side of the business to endanger the other. That was the case in the water plant described by Verizon: Attackers broke into the control system through computers used in customer service.

The same annoying ransomware that hits home PCs can also potentially shut down production or destroy critical factory data.

“Their systems are compromised, information is kind of scrambled, and everything just comes to a halt,” says Matt Kozloski, vice president for professional services at the Kelser Corp., a Glastonbury, Conn., consulting company.

Security experts suggest companies limit access between industrial and office machines, or even isolate industrial networks entirely from other systems and the internet—a practice known as air-gapping—but in practice systems can be connected and configured in ways even system administrators don’t fully understand.

“They might say that there’s no way for somebody in the industrial control system to be able to access the internet, or be able to gain access that way, but when we go and perform vulnerability assessments, a lot of times we find there really is no air gap,” Peasley says.

The need to protect industrial networks has created opportunities for companies. Kelser, located near Connecticut’s Naval Submarine Base in New London and a number of defense-oriented manufacturing firms, has been assisting clients in meeting an end-of-year deadline for federal suppliers to implement a recent standard for safeguarding restricted information, like sensitive product designs.

“If that diagram is on the office PCs or the office PCs have access to it, then that would naturally fall into protecting those machines,” Kozloski says, and if the file is also loaded onto an industrial milling machine, that system would have to be provably compliant as well.

Keeping industrial systems secure can involve more complex decisions than the typical office PC, says Robert M. Lee, CEO of the D.C.-area industrial cybersecurity company Dragos. Even if a system has security issues, it’s not always possible to shut it down or disconnect it from a network without doing more harm than good.

“If you try to block something in an ICS environment—an industrial control systems environment—you could be blocking safety critical communications,” he says.

In one case, he says, a client in the electrical power sector had a worker accidentally infect company systems with malware through a contaminated USB key. The infection found its way to what Lee calls a “sensitive system,” but simply shutting down the machine could have led to electrical outages. The company ultimately decided the malware itself wasn’t a risk to operations, and left it on the computer—under careful supervision—until a scheduled maintenance cycle two months away.

“They needed to clean it up, but they didn’t have to right then,” he says.

At the same time, accidentally misconfigured control systems can be just as damaging as deliberate digital sabotage, says PAS’s Habibi. The company has developed complex models of a wide variety of industrial systems—and notifies administrators and engineers when something seems off.

“We monitor for configuration changes that are anomalous, and unexpected, and unauthorized,” Habibi says.

The PAS system works in conjunction with more traditional security tools like firewalls and can catch dangerous settings whether they’re the result of human error, industrial sabotage, or a sophisticated attack by a hostile foreign power looking to damage domestic industry, he says.

“Nation states are actually the biggest threat, in our view, to the global critical infrastructure, and we’re not the only ones with that view,” he says.