A Review of Cybersecurity Incidents in the Water Sector
Publication: Journal of Environmental Engineering
Volume 146, Issue 5
Abstract
This study presents a critical review of disclosed, documented, and malicious cybersecurity incidents in the water sector to inform safeguarding efforts against cybersecurity threats. The review is presented within a technical context of industrial control system architectures, attack-defense models, and security solutions. Fifteen incidents were selected and analyzed through a search strategy that included a variety of public information sources ranging from federal investigation reports to scientific papers. For each individual incident, the situation, response, remediation, and lessons learned were compiled and described. The findings of this review indicate an increase in the frequency, diversity, and complexity of cyberthreats to the water sector. Although the emergence of new threats, such as ransomware or cryptojacking, was found, a recurrence of similar vulnerabilities and threats, such as insider threats, was also evident, emphasizing the need for an adaptive, cooperative, and comprehensive approach to water cyberdefense.
Get full access to this article
View all available purchase options and get full access to this article.
Data Availability Statement
No data, models, or code were generated or used during the study.
Acknowledgments
Mohsen Aghashahi and M. Katherine Banks are supported by Qatar National Research Fund (QNRF) under Grant NPRP8-1292-2-548. Riccardo Taormina and Stefano Galelli are supported in part by the National Research Foundation (NRF) of Singapore under its National Cybersecurity R&D Programme (Award no. NRF2014NCR-NCR001-40). Avi Ostfeld is supported by the EU H2020 STOP-IT project (Grant agreement 740610).
References
Ablon, L. 2018. “Data thieves: The motivations of cyber threat actors and their use and monetization of stolen data.” Accessed August 15, 2019. https://www.rand.org/content/dam/rand/pubs/testimonies/CT400/CT490/RAND_CT490.pdf.
Abrams, M., and J. Weiss. 2008. Malicious control system cyber security attack case study–Maroochy Water Services, Australia. McLean, VA: The MITRE Corporation.
Ahmed, C. M., C. Murguia, and J. Ruths. 2017. “Model-based attack detection scheme for smart water distribution networks.” In Proc., 2017 ACM on Asia Conf. on Computer and Communications Security, 101–113. New York: Association for Computing Machinery.
Amin, S., X. Litrico, S. Sastry, and A. M. Bayen. 2013. “Cyber security of water SCADA systems—Part I: Analysis and experimentation of stealthy deception attacks.” IEEE Trans. Control Syst. Technol. 21 (5): 1963–1970. https://doi.org/10.1109/TCST.2012.2211873.
Bodeau, D., and R. Graubart. 2013. Cyber resiliency and NIST special publication 800-53 rev. 4 controls. McLean, VA: MITRE Corporation.
Bodeau, D., R. Graubart, and W. Heinbockel. 2013. Characterizing effects on the cyber adversary. McLean, VA: MITRE Corporation.
Caltagirone, S., A. Pendergast, and C. Betz. 2013. Data thieves: The motivations of cyber threat actors and their use and monetization of stolen data. Hanover, MD: Center for Cyber Intelligence Analysis and Threat Research.
Cava, M. D. 2018. “Uber to pay $148 million over undisclosed data breach that ex-CEO paid hackers to keep quiet.” Accessed August 15, 2019. https://www.usatoday.com/story/tech/news/2018/09/26/uber-pay-148-million-over-undisclosed-data-breach-ex-ceo-paid-hackers-keep-quiet/1432335002.
Chandy, S. E., A. Rasekh, Z. A. Barker, and M. E. Shafiee. 2018. “Cyberattack detection using deep generative models with variational inference.” J. Water Resour. Plann. Manage. 145 (2): 04018093. https://doi.org/10.1061/(ASCE)WR.1943-5452.0001007.
Cimpanu, C. 2017. “Fired employee hacks and shuts down smart water readers in five US cities.” Accessed August 15, 2019. https://www.bleepingcomputer.com/news/security/fired-employee-hacks-and-shuts-down-smart-water-readers-in-five-us-cities/.
CIS (Center for Internet Security). 2019. “CIS controls.” Accessed August 15, 2019. https://www.cisecurity.org/controls.
Cuomo, A. 2016. “Statement from Governor Andrew M. Cuomo on cyber attack charges announced by U.S. Attorney General Loretta Lynch and FBI Director James Comey Involving the Bowman Avenue Dam in Westchester County.” Accessed August 15, 2019. https://www.governor.ny.gov/news/statement-governor-andrew-m-cuomo-cyber-attack-charges-announced-us-attorney-general-loretta.
Department of Energy. 2005. “21 steps to improve cyber security of SCADA network.” Accessed August 15, 2019. https://www.hsdl.org/?abstract&did=1826.
Department of Homeland Security. 2012. “Daily open source infrastructure report 27 March 2012.” Accessed February 11, 2020. https://www.dhs.gov/xlibrary/assets/DHS_Daily_Report_2012-03-27.pdf.
Department of Justice. 2017. “Bala Cynwyd man sentenced to prison for hacking computers of public utilities.” Accessed August 15, 2019. https://www.justice.gov/usao-edpa/pr/bala-cynwyd-man-sentenced-prison-hacking-computers-public-utilities.
District Court at Maroochydore. 2002. “Appeal against conviction and sentence proceedings regarding appellant Vitek Boden.” Accessed August 15, 2019. https://archive.sclqld.org.au/qjudgment/2002/QCA02-164.pdf.
Doris, T. 2019. “Why Riviera Beach agreed to pay a $600,000 ransom payment to regain data access… and will it work?” Accessed August 15, 2019. https://www.palmbeachpost.com/news/20190619/why-riviera-beach-agreed-to-pay-600000-ransom-payment-to-regain-data-access-and-will-it-work.
Ferrier, P. 2019. “Cyberattacker demands ransom from Northern Colorado utility.” Accessed August 15, 2019. https://www.coloradoan.com/story/money/2019/03/14/cyberattacker-demands-ransom-colorado-utility/3148951002.
Formby, D., S. Durbha, and R. Beyah. 2017. “Out of control: Ransomware for industrial control systems.” In Proc., RSA Conf. Bedford, MA: RSA Security.
Gallagher, S. 2017. “Some beers, anger at former employer, and root access add up to a year in prison.” Accessed August 15, 2019. https://arstechnica.com/information-technology/2017/06/ex-technician-convicted-of-possibly-drunken-attack-on-smart-water-meter-system.
Government Technology. 2012. “Report: Hacking lands Florida wastewater official in hot water.” Accessed August 15, 2019. https://www.govtech.com/public-safety/Report-Hacking-Lands-Florida-Wastewater-Official-in-Hot-Water.html.
Gray, P. 2018. “When it comes to ransomware demands, just say no.” Symantec. Accessed February 10, 2020. https://www.symantec.com/blogs/feature-stories/when-it-comes-ransomware-demands-just-say-no.
Hassanzadeh, A., and R. Burkett. 2018. “SAMIIT: Spiral attack model in IIOT mapping security alerts to attack life cycle phases.” In Proc., 2018 Int. Symp. for ICS and SCADA Cyber Security Research (ICS-CSR 2018), 11–20. London: British Computer Society.
Hassanzadeh, A., S. Modi, and S. Mulchandani. 2015. “Towards effective security control assignment in the industrial internet of things.” In Proc., 2015 IEEE 2nd World Forum on Internet of Things (WF-IoT), 795–800. New York: IEEE.
Housh, M., and Z. Ohar. 2018. “Model-based approach for cyber-physical attack detection in water distribution systems.” Water Res. 139 (Aug): 132–143. https://doi.org/10.1016/j.watres.2018.03.039.
Hutchins, E. M., M. J. Cloppert, and R. M. Amin. 2011. “Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains.” In Vol. 1 of Leading issues information warfare security research, 187. Sonning Common, England: Academic Conferences and Publishing International Limited.
ICS-CERT (Industrial Control Systems Cyber Emergency Response Team). 2016a. ICS-CERT monitor: March/April 2016. Washington, DC: US Dept. of Homeland Security.
ICS-CERT (Industrial Control Systems Cyber Emergency Response Team). 2016b. NCCIC/ICS-CERT year in review: FY 2015. Washington, DC: US Dept. of Homeland Security.
ICS-CERT (Industrial Control Systems Cyber Emergency Response Team). 2019. “DHS critical infrastructure cyber community voluntary program.” Accessed August 15, 2019. https://www.cisa.gov/ccubedvp.
International Society of Automation. 2009. Security for industrial automation and control systems. ISA-62443. Durham, NC: International Society of Automation.
Jerome, S. 2017. “Utility cyberattack targets bandwidth, not water.” Accessed August 15, 2019. https://www.wateronline.com/doc/utility-cyberattack-targets-bandwidth-not-water-0001.
Kerner, S. 2018. “Water utility in Europe hit by cryptocurrency malware mining attack.” Accessed August 15, 2019. https://www.eweek.com/security/water-utility-in-europe-hit-by-cryptocurrency-malware-mining-attack.
Krutz, R. L. 2005. Securing SCADA systems. Chichester, UK: Wiley.
Kutner, M. 2016. “Alleged dam hacking raises fears of cyber threats to infrastructure.” Accessed August 15, 2019. https://www.newsweek.com/cyber-attack-rye-dam-iran-441940.
Lach, E. 2016. “Cyber war comes to the suburbs.” Accessed August 15, 2019. https://www.newyorker.com/tech/annals-of-technology/cyber-war-comes-to-the-suburbs.
Laszka, A., W. Abbas, Y. Vorobeychik, and X. Koutsoukos. 2017. “Synergic security for smart water networks: Redundancy, diversity, and hardening.” In Proc., 3rd Int. Workshop on CyberPhysical Systems for Smart Water Networks, 21–24. New York: Association for Computing Machinery.
Lund, P. D., J. Byrne, R. Haas, and D. Flynn, eds. 2019. Advances in energy systems: The large-scale renewable energy integration challenge. New York: Wiley.
Mahairas, A., and P. Beshar. 2018. “A perfect target for cybercriminals.” Accessed August 15, 2019. https://www.nytimes.com/2018/11/19/opinion/water-security-vulnerability-hacking.html.
Martin, A. 2018. “Russian hackers targeted Ukraine’s water supply, security service claims.” Accessed August 15, 2019. https://news.sky.com/story/russian-hackers-targeted-ukraines-water-supply-security-service-claims-11432826.
Mazzei, P. 2019. “Hit by ransomware attack, Florida city agrees to pay hackers $600,000.” Accessed August 15, 2019. https://www.nytimes.com/2019/06/19/us/florida-riviera-beach-hacking-ransom.html.
McGurk, S. P. 2008. Industrial control systems security: Protecting the critical infrastructure. Washington, DC: US Dept. of Homeland Security.
McMillan, R. 2006. “Hackers break into water system network.” Accessed August 15, 2019. https://www.computerworld.com/article/2547938/hackers-break-into-water-system-network.html.
McMillan, R. 2007. “Insider charged with hacking California canal system.” Accessed August 15, 2019. https://www.computerworld.com/article/2540235/insider-charged-with-hacking-california-canal-system.html.
Nakashima, E. 2011. “Water-pump failure in Illinois wasn’t a cyberattack after all.” Accessed August 15, 2019. https://www.washingtonpost.com/world/national-security/water-pump-failure-in-illinois-wasnt-cyberattack-after-all/2011/11/25/gIQACgTewNstory.html.
Newman, L. 2018. “Now cryptojacking threatens critical infrastructure, too.” Accessed August 15, 2019. https://www.wired.com/story/cryptojacking-critical-infrastructure.
NIST. 2012. Computer security incident handling guide. Washington, DC: NIST.
O’Donnell, L. 2019. “Post-ransomware attack, Florida city pays $600K.” Accessed August 15, 2019. https://threatpost.com/ransomware-florida-city-pays-600k-ransom/145869.
ONWASA (Onslow Water and Sewer Authority). 2018. “Cyber-criminals target critical utility in hurricane-ravaged area.” Accessed August 15, 2019. https://www.onwasa.com/DocumentCenter/View/3701/Scan-from-2018-10-15-08_08_13-A.
Parish, J. 2011. “Illinois water plant ‘hack’ was denied by FBI and DHS and later proved a false alarm.” Accessed August 15, 2019. https://www.theverge.com/2011/12/1/2604353/illinois-water-plant-hack-was-denied-by-fbi-and-dhs-and-later-proved.
Radiflow. 2018. “Detection of a crypto-mining malware attack at a water utility.” Accessed August 15, 2019. https://radiflow.com/case-studies/detection-of-a-crypto-mining-malware-attack-at-a-water-utility.
Ramotsoela, D. T., G. P. Hancke, and A. M. Abu-Mahfouz. 2019. “Attack detection in water distribution systems using machine learning.” Hum. Centric Comput. Inf. Sci. 9 (1): 13. https://doi.org/10.1186/s13673-019-0175-8.
Rasekh, A., A. Hassanzadeh, S. Mulchandani, S. Modi, and M. K. Banks. 2016. “Smart water networks and cyber security.” J. Water Resour. Plann. Manage. 142 (7): 01816004. https://doi.org/10.1061/(ASCE)WR.1943-5452.0000646.
RISI (Repository of Industrial Security Incidents). 2019. “The Repository of Industrial Security Incidents.” Accessed August 15, 2019. https://www.risidata.com.
Rubin, G. T. 2019. “Many company hacks go undisclosed to SEC despite regulator efforts.” Accessed August 15, 2019. https://www.wsj.com/articles/many-company-hacks-go-undisclosed-to-sec-despite-regulator-efforts-11551218919.
Sayfayn, N., and S. Madnick. 2017. Cybersafety analysis of the Maroochy Shire sewage spill, working paper cisl# 2017-09. Cambridge, MA: Cybersecurity Interdisciplinary Systems Laboratory, Sloan School of Management, Massachusetts Institute of Technology.
Sobczak, B. 2019. “Hackers force water utilities to sink or swim.” Accessed August 15, 2019. https://www.eenews.net/stories/1060131769.
SWAN Forum Interoperability Workgroup. 2016. “Communication in smart water networks.” Accessed August 15, 2019. https://pdfs.semanticscholar.org/1aa7/59b64a0cf62364438f19648c57c64c5d4632.pdf.
Taormina, R., et al. 2018. “Battle of the attack detection algorithms: Disclosing cyber attacks on water distribution networks.” J. Water Resour. Plann. Manage. 144 (8): 04018048. https://doi.org/10.1061/(ASCE)WR.1943-5452.0000969.
Taormina, R., and S. Galelli. 2018. “Deep-learning approach to the detection and localization of cyber-physical attacks on water distribution systems.” J. Water Resour. Plann. Manage. 144 (10): 04018065. https://doi.org/10.1061/(ASCE)WR.1943-5452.0000983.
Taormina, R., S. Galelli, N. O. Tippenhauer, E. Salomons, and A. Ostfeld. 2017. “Characterizing cyber-physical attacks on water distribution systems.” J. Water Resour. Plann. Manage. 143 (5): 04017009. https://doi.org/10.1061/(ASCE)WR.1943-5452.0000749.
USEPA. 2008. Cyber security 101 for water utilities. Washington, DC: USEPA.
USEPA. 2019a. Information about public water systems. Washington, DC: USEPA.
USEPA. 2019b. Water sector cybersecurity brief for states. Washington, DC: USEPA.
Vaas, L. 2017. “Beer + bitter former field engineer = hacked smart water meters.” Accessed August 15, 2019. https://nakedsecurity.sophos.com/2017/06/28/beer-bitter-former-field-engineer-hacked-smart-water-meters.
Verizon. 2016. “Data breach digest. Scenarios from the field.” Accessed August 15, 2019. https://enterprise.verizon.com/resources/reports/2016/data-breach-digest.pdf.
Verizon. 2017. “Data breach digest.” Accessed August 15, 2019. https://enterprise.verizon.com/resources/reports/2017/data-breach-digest-2017-perspective-is-reality.pdf.
Walton, B. 2016. “Water sector prepares for cyberattacks.” Accessed August 15, 2019. https://www.circleofblue.org/2016/world/water-sector-prepares-cyberattacks.
Walton, B. 2017. “Water utility cyberattack rings up hefty data charges.” Accessed August 15, 2019. https://www.circleofblue.org/2017/water-management/water-utility-cyberattack-rings-hefty-data-charges.
WaterISAC (Water Information Sharing and Analysis Center). 2015. 10 basic cybersecurity measures: Best practices to reduce exploitable weaknesses and attacks. Washington, DC: WaterISAC.
Weiss, J. 2010. Protecting industrial control systems from electronic threats. New York: Momentum Press.
White House. 2013. “Presidential policy directive—Critical infrastructure security and resilience.” Accessed August 15, 2019. https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil.
White House. 2017. “Presidential executive order on strengthening the cybersecurity of federal networks and critical infrastructure.” Accessed August 15, 2019. https://www.whitehouse.gov/presidential-actions/presidential-executive-order-strengthening-cybersecurity-federal-networks-critical-infrastructure.
Willson, N. 2013. “Defensible security posture.” Accessed August 15, 2019. https://nigesecurityguy.wordpress.com/2013/06/04/defensible-security-posture.
Zetter, K. 2011. “: Attack on city water station destroys pump.” Accessed August 15, 2019. https://www.wired.com/2011/11/hackers-destroy-water-pump.
Information & Authors
Information
Published In
Journal of Environmental Engineering
Volume 146 • Issue 5 • May 2020
Copyright
©2020 American Society of Civil Engineers.
History
Published online: Feb 28, 2020
Published in print: May 1, 2020
Discussion open until: Jul 28, 2020
Authors
Metrics & Citations
Metrics
Citations
Download citation
If you have the appropriate software installed, you can download article citation data to the citation manager of your choice. Simply select your manager software from the list below and click Download.