Water and Waste Water
December 1, 2020: Hackers Accessed HMIs at Israeli Water Facility
An Iranian threat-actor published a video of a breach in an Israeli reclaimed water reservoir HMI system. According to industrial cybersecurity firm OTORIO, the hackers accessed a human-machine interface (HMI) system that was directly connected to the internet without any authentication or other type of protection. The target was apparently a reclaimed water reservoir. “This gave the attackers easy access to the system and the ability to modify any value in the system, allowing them, for example, to tamper with the water pressure, change the temperature and more. All the adversaries needed was a connection to the world-wide-web, and a web browser,” OTORIO said in a blog post.
April 24, 2020: PLCs Targeted in Water and Wastewater Facilities Attacks in Israel
The Israeli government revealed that wastewater treatment plants, pumping stations and sewage facilities across the country were targeted in a coordinated attack on April 24 and 25. Sources told SecurityWeek that the attackers targeted programmable logic controllers (PLCs) used to control valves. The changes made to the PLC logic were valid, which indicates that the attackers knew exactly what they were doing. The attack may have been discovered after the compromised PLCs caused suspicious valve changes, but it’s unclear if the attackers were trying to cause damage by tampering with valves or if they made an error that led to their discovery.
September 15, 2019: Colorado Water Utility Customer Data Compromised by Data Breach at Payment Vendor Click2Gov
Colorado water supplier are the latest victims of a series of attacks on the Click2Gov municipality payment software. In a statement issued to press on Monday (December 30), Aurora Water said that the personal information of customers who had used the platform between August 30 and October 14 had been impacted. An unauthorized actor, it explained, had “modified a piece of computer code” used by Click2Gov “to capture limited personal information such as first and last name, billing address, payment card type, payment card number, payment card verification value, and payment card expiration date.”
Aurora Water, which provides water to 360,000 residents in Aurora, Colorado, said that upon discovering the incident it took “Click2Gov offline for any new reoccurring or one-time payments” and launched an investigation.
February 11, 2019: Colorado Water and Sanitation District Locked Out of Engineering Data and Drawings
When employees of the Fort Collins Loveland Water District and South Fort Collins Sanitation District got to work the morning of Feb. 11, they were locked out of technical and engineering data and drawings stored on their computers. The districts had fallen victim to a ransomware cyberattack, the second in two years, General Manager Chris Matkins said. Hackers were holding the data hostage and demanding a ransom payment before they'd unlock the information. Matkins won't say how big the ransom demand was or how payment was to be made. "It's not something we will talk about," he said. "It didn't have any bearing on how we responded."
June 1, 2013: OT Attack on Bowman Avenue Dam Illustrates Vulnerability of the U.S. Infrastructure
Extensive information about the Bowman Avenue dam in Rye, New York state was taken by the hackers. The hacker broke into the SCADA (Supervisory Control and Data Acquisition) system of the New York dam by exploiting a susceptible modem connection. While there are multiple theories behind the intention of the attack, the hackers wouldn't have been able to do any damage at that time because the sluice gate had been manually disconnected for maintenance. An investigation pointed to Iran as the likely source of the attack. This and similar attacks seemed intent on gathering detailed information, including engineering drawings, about networks and facilities.
March 15, 2016: Hackers Manipulated Water Supply at Unnamed Water District – ‘Kemuri’.
The unnamed water district, referred to as Kemuri, had asked Verizon Security Solutions to conduct a proactive assessment as part of its efforts to keep systems and networks healthy. Experts soon discovered clear signs of malicious activity. They immediately noticed that the organization had a poor security architecture, with Internet-facing systems plagued by high-risk vulnerabilities. Hackers took advantage of outdated systems and poor cyber hygiene and were able to cross breach, jumping from the IT side to the OT side, to access 2.5 million financial records and to manipulate the area’s water supply.
The 'Kemuri' Water Company was able to remediate the changes made to the water supply, and the customer impact was minimal. But the insecurity of the plant’s networks could have led to far more serious consequences, including risk to human safety.
April 25, 2016: Lansing, MI, Public Utility Compromised by Attack, $25K Ransom paid.
The Board of Water and Light (BWL) in Lansing, Michigan, was struck by ransomware on Monday, April 25. 2016. The cyberattack shut down BWL's accounting and email systems after an employee unknowingly opened an email with an infected attachment. This would seem to be the first disclosed example of a utility being successfully compromised by ransomware.
The Lansing Board of Water & Light paid a $25,000 ransom to unlock its internal communications systems after they were disabled by a cyberattack last spring, officials said Tuesday. BWL General Manager Dick Peffley pegged the cost of responding to the emergency, including the ransom and technology upgrades to prevent future attacks, at $2.4 million. All but $500,000 of those costs are covered by insurance. Paying the ransom was “the only action we could take to unlock our system and free it from the ransomware.”
August 26, 2022: City of Hamilton Informs Water Customers of Ransomware Attack
The City of Hamilton alerted customers of a recent ransomware attack connected with a third party vendor that sends emails to water customers. In a release, staff say the “possible data breach” may have ties to Neptune Technology Group, who replace and maintain water meters, and a third-party mailing vendor that informs residents of a need to replace a meter. The city said “Hamilton Water considers this is a low-risk incident for residents, but felt it important to inform the community." It’s believed 2,387 out of about 156,000 accounts may have been subject to attack giving access to personal information like names and mailing addresses. Neptune Technology Group has stopped using and sharing information with the mailing vendor as a precaution.
August 15, 2022: UK Water Utility Suffers Cyberattack
Customers have been assured there is safe drinking water after South Staffordshire PLC, the parent company of South Staffs Water and Cambridge Water in the UK, fell victim to a cyberattack Monday.
The company supplies 330 million liters of drinking water to 1.6 million customers.
“This incident has not affected our ability to supply safe water and we can confirm we are still supplying safe water to all of our Cambridge Water and South Staffs Water customers," the company said in a statement. "This is thanks to the robust systems and controls over water supply and quality we have in place at all times as well as the quick work of our teams to respond to this incident and implement the additional measures we have put in place on a precautionary basis."
July 7, 2022: Rhode Island Sewer System Operator Hit by Cyberattack
he Narragansett Bay Commission, which runs sewer systems in parts of the metropolitan Providence and Blackstone Valley areas, was hit by a ransomware attack on its computer systems. A spokeswoman for the commission acknowledged the attack in a Friday evening email to The Providence Journal.
"Last week, the Narragansett Bay Commission identified a cybersecurity incident that involved the encryption of data on certain computers and systems in its network," spokeswoman Jamie R. Samons said in the email. While she did not specify a ransomware attack, such attacks typically involve hackers encrypting data on a victim's computer system and refusing to supply the key to decode the data until a ransom is paid.
Samons did not reply to a follow-up email asking whether a ransom was paid. She did note that the systems hit by the attack are not ones that control the operation of the sewage system.