Compromising vital infrastructure: water management

Compromising vital infrastructure: water management

It’s probably unnecessary to explain why water management is considered part of our vital infrastructure, but it’s a wider field than you might expect—and almost every one of its components can be integral to our survival.

We all need clean water to drink. As much as I like my coffee, I can’t make it with contaminated liquids. And the farmers that grow our coffee need water to irrigate their land. On top of that, the water we use in our households and workplaces needs to be cleaned before it goes back into nature.

In some countries, and especially in large river delta areas, we need a high level of control over the water level to prevent flooding. Other areas need methods to retain water to avoid droughts or to keep vital transportation methods that depend on rivers and canals on the move.

We also use water to generate energy, for example, through dams and mills. In the first decade of this millennium, hydropower accounted for about 20 percent of the world’s electricity, and with the increasing need for clean energy, we can expect this percentage to rise.

Water management is considered so critical that tampering with a water system is a US Federal Offense (42 U.S.C. § 300i-1).

Yet, cybercriminals have found ways to compromise these vital systems as well. Let’s take a look at their methods of attack.


The Supervisory Control and Data Acquisition (SCADA) architecture that is in use in various water management plants, despite their diversity, is for the most part consistent. There are only so many companies that produce Programmable Logic Controllers (PLCs). In the past, vulnerabilities have been found in widely-used PLCs made by General Electric, Rockwell Automation, Schneider Modicon, Koyo Electronics, and Schweitzer Engineering Laboratories. And I would dare to wager that some have been found that we haven’t been made aware off.

One of the best organized safety aspects of water and sewage plants is its physical access (which is not always easy to secure either, if only because of the size of some of these installations). But, according to the 2018 Cybersecurity Risk and Responsibility in the Water Sector report by the American Water Works Association (AWWA):

“Cybersecurity is a top priority for the water and wastewater sector. Entities, and the senior individuals who run them, must devote considerable attention and resources to cybersecurity preparedness and response, from both a technical and governance perspective. Cyber risk is the top threat facing business and critical infrastructure in the United States.”

The report goes on to say that getting cybersecurity right is not an easy mission and many organizations have limited budgets, aging computer systems, and personnel who may lack the knowledge and experience for building robust cybersecurity defenses and responding effectively to cyberattacks.

In cyberwarfare, a mass shutdown of computers controlling waterworks and dams could result in flooding, power outages, and shortage of clean water. In the long run, this could lead to famine and disease. In March and April 2018, the US Department of Homeland Security and Federal Bureau of Investigation warned that the Russian government is specifically targeting the water sector and other critical infrastructure sectors as part of a multi-stage intrusion campaign.


One of the major threats to water-energy plants is Industroyer, aka CrashOverRide, an adaptable malware that can automate and orchestrate mass power outages. The most dangerous component of CrashOverride is its ability to manipulate the settings on electric power control systems. It also has the capability of erasing the software on the computer system that controls circuit breakers. CrashOverRide clearly was not designed for financial gain. It’s purely a destructive tool.

Another malware that many industrial plants are threatened by is called Stuxnet. This threat is designed to spread through Windows systems and go after certain programmable controllers by seeking out their related software. Near the end of 2018, the Onslow Water and Sewer Authority (ONWASA) said it would have to completely restore a number of its internal systems thanks to an outbreak of Emotet and one of the ransomware variants it is known to deliver.

Earlier in 2018, the first cryptocurrency mining malware impacting industrial controls systems and SCADA servers was found in the network of a water utility provider in Europe. This was not seen as a targeted attack, but rather the result of an operator accessing the Internet on a legacy Human Machine Interface (HMI).

Not that SCADA systems are free of targeted attacks. A honeypot that mimicked a water-pump SCADA network was found by hackers within days and soon became the target of a dozen serious attacks.

Insider threats are another cause for concern. In 2007, headlines told of an intruder who installed unauthorized software and damaged the computer used to divert water from the Sacramento River. In hindsight, this turned out to be a former, and probably disgruntled, employee.

An infected laptop PC gave hackers access to computer systems at a Harrisburg, PA, water treatment plant. An employee’s laptop was compromised via the Internet, likely through a watering hole attack, and then used as an entry point to install a virus and spyware on the plant’s computer system.

watering hole


A lot of what we can learn from these incidents will already sound familiar to most of our readers. Countermeasures that security teams in water management plants and organizations can apply follow many of the same cybersecurity best practices as corporations protecting against a breach. Some of our recommendations include the following:

  • A clear and strict Bring Your Own Device (BYOD) policy can help prevent staff bringing in unwanted threats to the network.
  • A strict and sensible password regime can hinder brute force attacks and should close out employees who left the firm.
  • Legacy systems that serve as human interfaces should not have Internet access.
  • Easy backup and restore should be made possible to keep any disruption limited in time and impact. Needless to say, this is imperative for critical systems.
  • Software running on industrial controls systems and SCADA servers should not give away the nature of the plant or the underlying hardware. This makes it harder for attackers to find out which exploits will be successful.
  • Use secure software, even though you cannot control or check the security of your hardware.
  • Monitor the processors and servers that are vital to the infrastructure constantly so any abnormal behavior will be flagged immediately.

Water and power

As you can see, there are many similarities between water management plants and power plants. While water management may be even more vital to our existence, many of the threats are basically the same. This is due to the similarities in plant infrastructure and hardware.

And when the threats are the same, you will see that the countermeasures are also similar. What’s strange, however, is that despite both water and power being vital to the country’s infrastructure, their cybersecurity budgets are quite limited, and they often have to work with legacy systems.

When the city of Atlanta was crippled by a ransomware attack in March 2018, city utilities were also disrupted. For roughly a week, employees with the Atlanta Department of Watershed Management were unable to turn on their work computers or gain wireless Internet access. Two weeks after the attack, Atlanta completely took down its water department website “for server maintenance and updates” until further notice.

Instead of systems backing each other up, they brought each other down like dominoes—an almost perfect example of Murphy’s Law, or the “butter side down” rule, as my grandma used to call it. It doesn’t have to be that way, and when it comes to our vital infrastructure, it shouldn’t.

Stay safe and hydrated, everybody!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.