The Cost of Doing Business, Pt. 2
Maybe You Will Care When Your
Taps Go Dry Or Worse
In its edition of February 13, 2019, The Smithsonian Magazine, published an in-depth article on the long history of the poisoning of water supplies as a tactic in warfare. The article posits that the first known and documented use of this tactic happened in ancient Mesopotamia around 2450 BCE. The Smithsonian author, Peter Schwartzstein, laments that the events surrounding that ancient conflict were only, "a brief taste of the misery to come."
Indeed, our modern world has also had its own taste of the same misery brought on by the destruction of water supplies. As an in-depth report made by Amnesty International, December 13, 2018, describes throughout its conflict in Iraq, ISIS had continually sabotaged its victims' water resources. The report describes the various ways that ISIS would sabotage the very means of subsistence these rural areas depended upon.
Some of the clearest examples of this are related to irrigation wells. These wells were often sabotaged with rubble, oil, or other foreign objects. Blockage was often accompanied by theft and/or destruction of the pump, cables, generators and transformers.
The Smithsonian article cited above states well the prevalence of this common tactic in warfare.
Since the dawn of conflict, armed groups have targeted water as both a tactic and potential weapon of war. In savaging rivers, wells, lakes and more, attacking troops punish locals for their lack of support—or render the land useless if facing imminent defeat.
And so it goes in our very modern cyberwar. Water treatment plants in the US and elsewhere are now frequent targets of cybercrooks and terrorists.
In an article in Security Week, dated, January 24, 2024, author Edward Kovacs, reported on two water systems, one in the United Kingdom, and the other in the US, that were both embroiled in ransomware attacks. In the US attack, Veolia North America’s Municipal Water division, posted on its website its notice of the attack, titled "Veolia Responds to Cyber Incident."
Last week, a ransomware incident affected some software applications
and systems in a portion of Veolia North America’s Municipal Water
division. Our IT and Security Incident Response Teams were quickly
mobilized, and we are actively cooperating with law enforcement and
other third parties to investigate and address this incident.
In
response to this incident, we implemented defensive measures, including
taking the targeted back-end systems and servers offline until they
could be restored. As a result, some customers experienced delays when
using our online bill payment systems. Those systems are working
normally again. Any payments made during this event have been applied,
and customer accounts should reflect the most updated information.
Customers will not be penalized for late payments or charged interest on
their bills due to this service interruption.
The water company is to be commended for its timely announcement. Viola went on to assure its customers that "there is no evidence to suggest it affected our water or wastewater treatment operations."
A similar incident occurred around the same time in the United Kingdom. Infosecurity Magazine reported, January 25, 2024, that Southern Water had also been a victim of a cyberattack involving ransomware. The statement published on the Southern Water website was sparse, to say the least: seven sentences, beginning with, "We are aware of a claim by cyber criminals that data has been stolen from some of our IT systems." The Infosecurity Magazine article cited above, laid the blame for the UK attack on a Russian hacker group known as "Black Basta." Infosecurity Magazine reported, November 30, 2023, that this, "Russian-speaking ransomware group has made over $100m from dozens of victims since April 2022."
Reporting,
November 27, 2023, The Record, informed that "The Municipal Water
Authority of Aliquippa — which serves
thousands of customers in
communities northwest of Pittsburgh" had likewise been a victim of a
cyberattack. In this attack, a hacker group that calls itself,
Cyber Av3ngers, and is associated with the government of Iran, took
responsibility for the Aliquippa attack. The
local CBS news affiliate reported, November 26, 2023, that "one
of their booster stations had been hacked by an Iranian-backed
cyber group." All the monitor screens at the attacked
station were plastered over with the image on the right. It is
believed that this water system was attacked because the plant "uses
a system called Unitronics, which Mottes says is software or has
components that are Israeli-owned," as the local CBS report made known.
Matthew Mottes, the chairman of the board of directors for the Municipal
Water Authority of Aliquippa, assured its customers, "that there is
no known risk to the drinking water or water supply."
As reported by The Record, November 29th, 2023, Uncle Sam, through its Cybersecurity and Infrastructure Security Agency (CISA) is now warning of the risks associated with "Unitronics programmable logic controllers (PLCs) used by many organizations in the water sector." The CISA advisory, titled, "Exploitation of Unitronics PLCs used in Water and Wastewater Systems," dated November 28, 2023, warns about, "Attempts to compromise WWS integrity via unauthorized access threaten the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities." WWS is a CISA acronym for Water and Wastewater Systems.
The CISA advisory above offers all the usual suggestions made to prevent further exploitation of the vulnerability of the Unitronics controllers. Among those suggestions is the terrifying advice to "Ensure the Unitronics PLC default password “1111” is not in use." This begs the question: Are those in charge of the nations critical infrastructure so clueless that they would not change such a simple, and most likely well known, default password? In some cases, I am sure the answer to that question is Yep.
Reflecting the seemingly pervasive attitude so many involved with the technology associated with critical infrastructure our modern civilization is depends on, is best described as, "Let's wait until all the horses have long ago left the barn before taking any action." In a December 19, 2023, update to the CISA advisory cited above, CISA advises water plant operators to "Update PLC/HMI to the latest version provided by Unitronics."
December 1, 2023, a joint advisory, titled, "IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities," was released by "The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD)," that is intended "to highlight continued malicious cyber activity against operational technology devices by Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated Advanced Persistent Threat (APT) cyber actors." The complete Joint CyberSecurity Advisory is available here. [pdf will open] The document offers specific detection and mitigation steps to technical staff of facilities that may be impacted by this threat from Iran. Within the Joint Advisory is one statement that applies to every vendor of computer hardware and software. "...it is ultimately the responsibility of the device manufacturer to build products that are secure by design and default."
Attacks on water treatment plants are not new. The Dispatches reported, July 19, 2022, on attacks on water plants that were blamed on threat actors emanating from North Korea. The title of that article of mine was: "Water, Water, Everywhere: So Why Does No One Seem to Care." The question now is when will these attacks morph from simple sabotage of computer screens, and the more costly ransomware attacks, to actual pollution of a municipal water supply? The question is more than rhetorical; it is only a matter of time.
After all, attacking water supplies was a favorite tactic of ancient and medieval warriors. As was pointed in The Smithsonian Magazine cited above, and quoting Peter Gleick, a scientist and water expert at the California-based Pacific Institute:
"The fundamental value of water to life makes it an attractive target during conflict... We understand now that that is a violation of human rights, but that has not prevented it, even in modern times, from being casualty of war.”
Surfer Joe
Now, look at him go-o-o-o-o-o
Surfer, Surfer, Surfer Joe-o-o
Go man go-o-o
Oh-oh, oh, oh, oh, Surfer Joe
— Surfer Joe, The Safaris
Gerald Reiff
| Back to Top | ← previous post | next post → |
| If you find this article of value, please help keep the blog going by making a contribution at GoFundMe or Paypal | ||