Water Utility Cyberattack Rings Up Hefty Data Charges

Money is often the root of cyberattacks on water utilities, experts say.

As more water utilities connect critical equipment to the internet, securing those systems against cyberattack will be essential. Photo © J. Carl Ganter / Circle of Blue

As more water utilities connect critical equipment to the internet, securing those systems against cyberattack will be essential.
Photo © J. Carl Ganter / Circle of Blue

By Brett Walton, Circle of Blue

Hackers that stormed the digital defenses of an American water authority and took control of its cellular routers late last year were not interested in disrupting water supply and wastewater treatment. Instead they were intent on stealing valuable internet service, and lots of it, according to a Department of Homeland Security intelligence briefing published on March 29.

As the hackers took command and used the routers for other purposes, the authority’s cellular data bill soared — from an average of $US 300 a month to $US 45,000 in December and $US 53,000 in January. Details of the government’s report on the incident were described to Circle of Blue by Michael Preston, who works on security issues with the National Rural Water Association, and others who read the briefing.

The authority was hacked between November 2016 and January 2017. The Department of Homeland Security has not made the report public and declined a request for an interview.

The utility was not named in the report. This much is known, though. The intrusion did not damage utility infrastructure. Instead, the hackers took advantage of it. They seized control of Sixnet BT series cellular routers that were designed to provide secure wireless access for monitoring the utility’s dispersed collection of pumping stations and other sites, said Preston. Four of the utility’s seven routers were compromised.

Sixnet, the maker of the routers, is owned by Red Lion Controls, a Pennsylvania-based company that produces computer network hardware for industrial systems. Red Lion did not respond to Circle of Blue’s request for comment, but Preston said that the company produced a patch in May 2016 for the vulnerable routers. Presumably, the hacked utility did not learn that its system was at risk and did not install the patch, he said.

Though it frequently issues cybersecurity advisories, the Department of Homeland Security rarely writes intelligence briefings on a water sector cyberattack, utility security experts said. This may be because so few are reported — only 25 U.S. water utilities, out of more than 50,000 systems, notified the department’s emergency response team of an attack in 2015, Bob Timpany, the unit’s operations chief, told Circle of Blue last year.

Water utility operations are increasingly connected to the internet — not just billing and email services but also the pump stations and treatment systems that are a utility’s core function. Internet connections allow operators to monitor systems from afar, which cuts costs. But after a number of attacks in recent years exploited utility system weaknesses — the hacking of a small dam in New York in the summer of 2013, for instance, and an attack on Ukraine’s electrical grid in December 2015 that shut off power to some 700,000 people for a few hours — water officials are understanding the need to secure their computer networks against digital intrusions.

In this case, the utility’s routers seemed to be a target of opportunity, according to Kevin Morley, security and preparedness program manager with the American Water Works Association.

“I don’t believe they were targeted because they are a water utility. This seems like an opportunistic action to ‘steal’ bandwidth from a system to which they gained access,” Morley, who saw the report, told Circle of Blue.

Breaking into the routers should not have been difficult. The Department of Homeland Security’s summary of Red Lion’s patch notes that exploiting the router’s vulnerability, by hacking a factory-installed password, requires “low skill.”

Cybersecurity Concern at the Highest Levels

Most cyberattacks on water utilities do not result in damaged pumps or unhealthy levels of chlorine in the water supply. Instead, the motivation is often money, Morley reckoned — free internet by tapping an unsecured router or the possibility of a ransom by holding email servers hostage.

Still, the hacking of the cellular routers “reinforces the fact that water and wastewater critical infrastructure is vulnerable to bad actors who can launch an attack from anywhere at any time,” Preston told Circle of Blue.

It is a concern shared by many. The new Congress, which convened in January, has shown strong interest in cybersecurity in its first months. The Senate Committee on Commerce, Science, and Technology held a hearing on March 22 on cybersecurity technologies. The House Energy and Commerce Committee discussed cybersecurity for the health care sector on April 4, two months after it held a hearing on digital protections for the electrical grid. The Senate Energy Committee is involved, too. It held a hearing on cybersecurity on April 4.

Worry reaches into the White House. President Trump is preparing an executive order on cybersecurity for federal agencies and critical infrastructure: dams, nuclear plants, electrical grids, water and wastewater systems, and a dozen other sectors. Two draft orders that were leaked since January show an evolution in the administration’s thinking and a willingness to engage, experts say. White House officials are discussing cyber problems with agency representatives and industry leaders and, unlike other orders, not discarding the work of the Obama administration.

“I am hearing a lot of good conversation taking place to get a sense of where agencies are and the challenges they’re facing. That’s good,” said Dan Jacobs, cybersecurity program coordinator for the General Services Administration, according to E&E News. “Questions are being asked.”

The cellular router hacking outlined in the DHS report, though it did no physical harm, represents another breach in digital defenses in the water sector. Utilities, however, are not helpless. They have a number of guidebooks to follow thanks to the work of the American Water Works Association, an industry group, WaterISAC, a cybersecurity information hub for the water sector, and ICS-CERT, the Department of Homeland Security’s emergency response team.

Michael Arceneaux, managing director of WaterISAC, told Circle of Blue that he’s seen a change in the type of cyberattacks on water utilities recently. He’s seen fewer reports of ransomware attacks in the last six months. Ransomware is a bug that seizes control of an operating system and demands payment, often in untraceable bitcoins.

Though he does not have data on the number of attacks, Arceneaux said the anecdotal decline could be attributed to utilities adopting safer practices such as updating security patches, encrypting sensitive data, using firewalls between operating systems, and communicating with software vendors.

Based on the router hacking, though, not all utilities are aware of necessary patches. Ensuring the flow of critical information between industry, government, and water utilities is still a challenge, Arceneaux said. But it is essential for improving cybersecurity.

For Morley, the router intrusion warrants a cautious response, but he is also realistic about limitations. Water utilities can reduce their exposure to cyberattack but they will never eradicate it.

“I think the point here is that all infrastructure systems need to be vigilant,” Morley said. “Cybersecurity does not equal risk elimination. That would be like saying that if a bank installs an alarm then bad guys will stop trying to rob them. Cybersecurity lowers the likelihood of success, but it does not eliminate the risk.”