Water

Published on 01 Jul 2019

Updated on 08 Oct 2019

CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.


OVERVIEW

Industrial Control Systems (ICS), which allow utilities operators in sectors like Water and Energy to remotely monitor and control industrial processes, are often thought to be relatively safe from harm since many do not have connections to the Internet. But they can still be susceptible to a cyber-attack as new means to get into the systems are being developed, and even demonstrated. Cyber-physical threats to water infrastructure can lead to a wide range of effects, including changes to water quality and supply.



Singapore’s Water ICS are relatively safe from cyber-attacks as they are segregated from the Internet, and are not accessible remotely over public networks. In addition, the Smart Water Grid that PUB uses for remote monitoring and asset management functions is on a separate network from the critical operational systems that provide the delivery of essential services. Nevertheless, there are other attack vectors, including insider jobs and third-party service providers who may inadvertently contaminate the ICS while doing system maintenance. Readiness and resilience – in all aspects – must remain the keystone of risk management, incident response, and recovery, especially for a critical sector like Water.

REPORTS

UTILITY CYBERATTACK HIJACKED INTERNET BANDWIDTH, NOT WATER

A US Department of Homeland Security intelligence briefing published in March 2017 revealed that a 2016 cyber-attack on a water authority had aimed to steal Internet service – lots of it. As the hacker took command and used the routers, the authority’s cellular data bill spiked more than 1,500 per cent in December 2016 and January 2017. The intrusion did not damage utility infrastructure per se, but in compromising four of the utility’s seven cellular routers, it meant that the water authority’s wireless access could have been slowed, which in turn could affect its monitoring of the utility’s dispersed collection of pumping stations and other sites.

Industry observers said that financial motivations were more likely than destructive objectives. However, the hacking of cellular routers demonstrated that water infrastructure remained vulnerable to malicious cyber actors.

Read on by clicking on the story below:


RESEARCHERS SIMULATE RANSOMWARE ATTACK AND TAKEOVER OF WATER PLANT OPERATIONS

Researchers kicked off RSA 2017, an annual cybersecurity conference, with a simulated ransomware attack on a water treatment plant by using a custom malware that allowed the “attackers” to lock out the authorised operators, control plant valves, adjust chlorine levels, and falsify readings in the simulated plant. Essentially, they showed how it was possible to poison the water supply. The demonstration combined two attack vectors that have caused great concern in the cybersecurity industry in recent years: ransomware attacks, and attacks on critical infrastructure that could lead to massive damage and even loss of life.

One of the key problems cited for critical infrastructure is how some of its owners have enabled Internet connectivity, for remote monitoring for instance, but have not ensured the security of the ICS, which were not initially intended to be connected to the Internet.

Read on by clicking on the story below:


QUEENSLAND WATER GRID NOT PREPARED FOR CYBER INCIDENT

A 2016-2017 audit of an Australian state’s water grid found that most operators were not sufficiently prepared for a cyber-attack, leaving the state’s water supply vulnerable. The Queensland Auditor-General’s report, released in June 2017, found that bulk water providers SeqWater and SunWater, as well as local councils, did not have adequate measures in place to maintain water supply in the event of their systems being hacked.

The report made several recommendations to beef up cybersecurity and emergency processes, which included improvement of oversight and monitoring of potential cyber threats, and of internal processes to better respond to and recover from malicious attacks.

Read on by clicking on the story below:


UK GOVERNMENT SETS OUT WATER SECTOR CYBERSECURITY STRATEGY

The UK Department for Environment, Food, and Rural Affairs has set out a new strategy to reduce the risks of cyber-attacks in the water industry. Recent cyber risk reviews by government experts found “significant opportunities” for the water sector to operate at a higher level of cyber security maturity.

The strategy identified a number of key areas the sector should focus on, which included completely separating information technology (IT) and operational technology (OT) systems or networks to prevent possible infections or attacks from impacting processes that could cause physical damage.

Read on by clicking on the story below:

EUROPEAN COMMISSION LAUNCHES RESEARCH PROJECT ON CYBER-PHYSICAL THREATS TO WATER INFRASTRUCTURE

A new European Commission Horizon 2020 (H2020) research project was launched on 1 Jun 2017 to identify current and future risk landscapes and to develop a risk management framework for the physical and cyber protection of water critical infrastructure. The four-year project STOP-IT (Strategic, Tactical, Operational Protection of water Infrastructure against cyber-physical Threats) seeks to develop solutions to improve incident response and resilience in the sector.

The automated vehicle market is forecast to be worth up to £52 billion by 2035, a value that would potentially be disrupted should manufacturers not devise an effective strategy against the attacks that continue to be one of the main threats facing autonomous technology.

The project will pull together a team of experts from major water utilities, industrial technology developers, high-tech SMEs, and top R&D providers across Europe and Israel. Solutions will be demonstrated at four advanced water companies in Spain, Germany, Israel, and Norway.

Read on by clicking on the story below:


OVERVIEW

HAVE YOU SEEN…

WarGames (1983): A young high school student unwittingly hacks into a military supercomputer originally programmed to predict possible outcomes of nuclear war, and almost kicks off World War III between the US and the Soviet Union when the supercomputer cannot differentiate between reality and a simulation.

WarGames

After watching this film, then-US President Ronald Reagan asked and was told that this scenario could indeed happen. WarGames is arguably the seminal cybersecurity movie and maybe even the direct impetus of the US’ first-ever national directive to secure its computer technology – NSDD-145, “National Policy on Telecommunications and Automated Information Systems Security.”

Also worth watching: Hackers (1995), The Net (1995), Lo and Behold, Reveries of the Connected World (2016), and maybe just one episode of the animated-CGI cartoon series ReBoot (1994-1996).

SOURCES INCLUDE: Circle of Blue, SC Magazine UK, Sky News, Energy Live News and CORDIS Europa