Cyberattacks targeting connected water storage, distribution and treatment infrastructures are on the increase, causing significant damage to municipalities, with sometimes dramatic consequences. Because water is a vital resource to be protected. Second paper in a series of articles on cybersecurity issues in connected and smart cities.
A cybercriminal attempts to erase the computer programs used for purifying drinking water and threatens to poison the inhabitants in surrounding towns. This is not a worst-case scenario from a futuristic novel, but from what happened to a water treatment facility in the San Francisco Bay in January 2021, as reported by NBC News. A month later, another cyberattack targeted the water supply system of a small town in Florida. With population growth and rising temperatures due to global warming, the question of water management has become an issue for civilisation, whether it be in terms of wastewater treatment, clean water storage or its distribution. With the interconnection of these infrastructures, these networks and equipment have become prime targets for cybercriminals.
Cyber risks associated with water management
Temperature and pressure management; optimised water quality through real-time monitoring of the various chemical components; leak detection and predictive maintenance; improved sustainability and profitability of management services; smart meters: connected applications for water management are numerous and enhance health security. But is this at the expense of digital security? Most of these applications are based on a configuration that has grown, particularly since the COVID-19 pandemic: remote maintenance. A step forward in terms of public service management, but one that increases the attack surface and constitutes a threat in terms of cybersecurity. In recent years, remote management has led to an increase in intrusions and attacks on connected systems. It must be said that vulnerability points of remote maintenance interfaces are numerous. They depend on both the infrastructure’s interconnection surface and the robustness of the technologies chosen. These characteristics are disparate depending on the city, as outlined in a study from the cybersecurity laboratory at the University of Berkeley.
There are many players in the water industry, spread over a long cycle, from the wastewater treatment and rainwater network to the drinking water network and the places where water is consumed or used. In terms of technology, industrial water management systems have a variety of operational equipment such as industrial process control systems (ICS, Industrial Control System), human-machine interfaces (HMI), industrial programmable logic controllers (PLC) and cloud platforms. However, all these technologies are ageing, often disparate and create a vast and complex attack surface. In addition to this, there are real differences in maturity between the entities in this water industry, where water towers are the rare good performers. Their OT networks are distributed throughout the country but must remain connected. For other players in the water cycle, it is common to note a lack of segmentation in industrial networks, still designed in a “flat” architecture and vulnerable to malware propagation. The operating systems of the various monitoring and programming workstations can be another entry point for cybercriminals, often singled out for a lack of regular updates.
Beyond health related harm to inhabitants, a successful cyberattack on the water management system could also lead to an environmental disaster. If a cybercriminal manages to infiltrate management systems, he/she could, for example, interfere with the valves and change the composition of water. Another dreaded consequence of the water business is the interruption of the service; essential to daily life. Potential consequences: a series of emergency situations, particularly in hospitals, factories and other critical services, where water is essential.
Anatomy of cyberattacks targeting water infrastructures
In recent years, the methods used by cybercriminals to target water management infrastructures have been characterised by their diversity. The first is the so-called man-in-the-middle technique, which consists in interrupting, falsifying or corrupting communications between connected interfaces, such as those located on a smart water valve or those present at water treatment sites. It is possible to imagine a diversion of wastewater flows if a PLC is compromised, which would lead to a pollution phenomenon by their massive discharge into the clean water basin. And this type of scenario is no longer hypothetical, but a reality. As proof, recent years have been marred by incidents whose consequences could have been dramatic.
In 2020, Israel, a country already in a situation of water stress due to its geography, faced 3 major cyberattacks. In April of this year, cybercriminals suspected of being affiliated with the Iranian regime launched attacks on several pumping stations and wastewater treatment facilities, attempting to increase the level of chlorine in some of the water supply systems that supply part of the Israeli population. A few months later, in June, the situation became worse when similar attacks targeted dedicated water pumps for agriculture in the Galilee region, as well as a water supply system in the province of Mateh Yehuda. A scenario repeated in December with a new cyberattack on water treatment facilities.
Europe is obviously not spared in this water cyberwar. In France, in 2023, the Ile-de-France Public Sanitation Service, which manages the water supply for 9 million inhabitants of the Greater Paris metropolis, declared that it had been the victim of an “extensive and virulent” cyberattack aimed at controlling its networks and plants. In the same year, an Italian company providing drinking water for nearly half a million people faced an interruption of the service due to a ransomware attack. And, just a few months apart, a similar attack disrupted the operation of a water management infrastructure in Portugal. The cybercriminal group LockBit claimed responsibility for the attack.
In the United States, the threat to water services is so serious that several government agencies, including the FBI and the NSA, are investigating five of the biggest attacks to date on American infrastructures. In 2023, a group of Iranian cybercriminals operating under the name “CyberAv3ngers” targeted PLCs manufactured by the Israeli company Unitronics Vision Series, using a password related breach. In total, more than a dozen water management infrastructures were affected, a specialist site reported.
What protective measures should smart cities adopt?
In view of these observations, an initial response has been to introduce stricter regulations. At the European level, the NIS2 directive extends the scope of critical infrastructures to include water supply sectors. This new text will apply to both local authorities and businesses to strengthen and coordinate efforts to manage cyberattacks. A much needed tougher legislation, given the ever-increasing integration of technology into urban environments. Whether it is predictive maintenance using smart sensors on the water network to anticipate leaks or the remote management of water infrastructures, the Smart City must guarantee its cybersecurity to support these new uses and improve its resilience posture.
For local authorities, protective measures are as much about good digital hygiene practices as they are about the practical implementation of appropriate cybersecurity solutions. As in other sensitive sectors, the issue of accessibility to information is fundamental and the implementation of control systems to limit access to critical data is a first obvious step. Only giving access to authorized personnel, and removing this access once a person has left the company, should not always be taken for granted in every company... Since accesses are increasingly remote, players in the water sector must ensure that these communication flows are properly protected, i.e. encrypted and accessible only to authenticated users. To achieve this, data encryption solutions and VPN tunnels are valuable allies in ensuring secure and trustworthy communications.
In addition to data protection, the protection of workstations (on which control tools are often installed) and remote HMIs must not be neglected either. The most robust and modern protection solutions can prevent malicious remote tampering or contamination by a simple USB key.
For Smart Cities IT and OT networks, different levels of cybersecurity solutions already exist to ensure that they are impervious to attacks. Network segmentation is a first level of security, to be quickly implemented; by separating the different zones of a network and filtering communications between these zones, it is possible to limit interactions and therefore the propagation of a cyberattack. Segmentation is achieved with a router, integrated into a firewall with the following security functions: real-time protection (intrusion prevention and detection, application control, antivirus, etc.), control and monitoring (URL filtering, IP geolocation, vulnerability detection, etc.) connectivity (WAN link management, VPN tunnel management, bandwidth management, etc.) or secure communications (IPsec VPN, SSL VPN, etc.). Concerning these firewalls and their physical version, close attention must be paid to their integration and response capabilities to the stringent constraints of the water industry (such as humidity for example).
The need to equip and strengthen the protection arsenal for water management infrastructures in smart cities is therefore measured by the seriousness of the consequences that a successful cyberattack could entail. And while there are already many conflicts in cyberspace, the increasing scarcity of water as a resource poses another equally real geopolitical threat, for States. More than ever, water and its protection are becoming a political issue.
