The Rising Threat of Cyber-Attacks in Water Utilities

As the landscape of cyber security threats continues to evolve, industries once considered immune to such risks are now finding themselves in the crosshairs. Among these is the water utilities sector, a critical infrastructure area that encompasses over 100,000 public and private utilities. The sector's diversity, encompassing utilities of all types and sizes, has left many unprepared for the rising tide of cyber-attacks. Resource constraints often leave these utilities ill-equipped to combat the growing threat, a fact not lost to ransomware gangs. As we step into 2024, the trend of compromising water utility facilities shows no signs of abating.

The Beginning - Unitronics:

The vulnerability of water utilities first came to light with the compromise of Unitronics products in late 2023. Unitronics is a company specializing in automation solutions, known for its Programmable Logic Controllers (PLCs) and Human Machine Interfaces (HMIs), which are widely used in water utility facilities worldwide. In November 2023, a water utility facility in Aliquippa, Pennsylvania, fell prey to a foreign attacker known as the “Cyber Av3ngers”. The attacker gained access to a station that monitored and regulated water pressure. Upon detection of the breach, authorities swiftly switched the station and the rest of the facility to manual operation. The investigation revealed that the attackers exploited the PLC and HMI components' weak password security and internet exposure. It is speculated that a Microsoft Exchange vulnerability (CVE-2022-41080) facilitated the attacker's brute force entry into the system. Furthermore, Unitronics systems were shipped with a publicly known default password, “1111”, further exacerbating the vulnerability.

The successful attack by the Cyber Av3ngers not only put them on the map, but also drew the attention of other cyber-criminal groups to a sector historically less targeted by cyber-attacks. This led to a spate of attacks from various quarters.

Erris Water, Southern Water, Veolia:

Early 2024 saw multiple water utility companies worldwide falling victim to various attacks. The Cyber Av3ngers continued their onslaught on Unitronics-related devices, successfully shutting down a water treatment facility in Erris, a remote area in northwestern Ireland. The facility was using Eurotronics products, a rebranded version of Unitronics PLC and HMI technologies, exposing them to the same vulnerabilities of weak passwords.

Simultaneously, Southern Water in England fell victim to a ransomware attack. Southern Water, which provides water to 2.5 million customers and wastewater services to 4.7 million customers in southern England, was targeted by the Black Basta ransomware group. The group reportedly stole 750 GB of data using sophisticated social engineering attacks. While no disruption to OT systems was reported, Black Basta set a deadline for Southern Water to respond. Failure to pay the ransom would result in the data being leaked on the group’s torrent site. The outcome of this situation remains unknown, suggesting the possibility that the ransom was paid.

In the same week, Veolia North America was compromised in an attack that disrupted the company’s bill payment systems. Veolia, which provides water and wastewater services to approximately 550 communities across the United States and Canada, took its systems offline to contain the breach. The disruption led to customers being unable to pay their bills on time. Additionally, private investigators assisting Veolia discovered that some individuals may have had their personal information stolen.

While the cyber security readiness of the water utility sector may still be developing, significant strides are being made to bolster its defenses. Initiatives by the Environmental Protection Agency (EPA) and the federal government are underway to enhance the resilience of these critical systems. The EPA has been proactive in providing resources and guidance to help public water systems prevent, detect, respond to, and recover from cyber incidents. These efforts, along with the collaboration between federal agencies and the water sector, demonstrate a concerted effort to address the cyber security challenges facing water utilities and ensure the protection of this vital infrastructure.

Security Measures:

The implementation of preventative measures within an organization significantly reduces the likelihood of a successful cyber-attack. By applying a defense in depth strategy, organizations can deploy layered security measures, establish variable barriers across multiple layers, and introduce redundant defensive mechanisms to enhance protection. This comprehensive approach involves network configuration, rigorous employee training, and robust policy development, among other strategies, to mitigate the chances of an attack's success. Defense in depth ensures that if attackers breach one layer of security, they are met with additional barriers, increasing the complexity and effort required to compromise the system. This method not only reduces vulnerabilities but also contains threats and mitigates risks by leveraging a combination of advanced security tools, data encryption, and integrity auditing solutions. Ultimately, a well-structured defense in depth strategy significantly bolsters an organization's security posture against a wide array of cyber threats.

Furthermore, it is important to have the proper security measures to mitigate the damage of being compromised.  CISA along with over 25 water and wastewater systems recommend incorporating the below four stages into your organization’s incident response plan.

References:

Cybersecurity and Infrastructure Security Agency. (2024, January 18). CISA, FBI and EPA release incident response guide for water and wastewater systems sector. https://www.cisa.gov/news-events/news/cisa-fbi-and-epa-release-incident-response-guide-water-and-wastewater-systems-sector 

Ciglic, K. (2023, December 13). Multistakeholder cooperation to protect water sector from growing threats. Microsoft On the Issues. https://blogs.microsoft.com/on-the-issues/2023/12/13/cyberattacks-water-infrastructure-cyberspace-solarium-commission/ 

Elsad, A. (2022, August 25). Threat assessment: Black Basta ransomware. Unit 42 | Palo Alto Networks. https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ 

Gatlan, S. (2024, January 23). Water services giant Veolia North America hit by ransomware attack. BleepingComputer. https://www.bleepingcomputer.com/news/security/water-services-giant-veolia-north-america-hit-by-ransomware-attack/ 

Jones, D. (2023, November 29). Cisa warns of threat groups exploiting Unitronics PLCS in water treatment hacks. Cybersecurity Dive. https://www.cybersecuritydive.com/news/cisa-threat-exploiting-unitronics-water/700999/ 

Kovacs, E. (2023, November 29). CISA warns of Unitronics PLC exploitation following water utility hack. SecurityWeek. https://www.securityweek.com/cisa-warns-of-unitronics-plc-exploitation-following-water-utility-hack/ 

Kovacs, E. (2023, December 8). Cyberattack on Irish utility cuts off water supply for two days. SecurityWeek. https://www.securityweek.com/cyberattack-on-irish-utility-cuts-off-water-supply-for-two-days/ 

Kovacs, E. (2024, January 24). Major US, UK water companies hit by ransomware. SecurityWeek. https://www.securityweek.com/major-us-uk-water-companies-hit-by-ransomware/

Pandagle, V. (2023, February 6). Have you patched this Microsoft vulnerability yet? The Cyber Express. https://thecyberexpress.com/microsoft-exchange-server-remains-vulnerable/

Scroxton, A. (2024, January 24). Southern Water confirms cyber attack after Black Basta claims. Computer Weekly. https://www.computerweekly.com/news/366567455/Southern-Water-confirms-cyber-attack-after-Black-Basta-claims 

Toulas, B. (2023, November 29). Hackers breach US water facility via exposed Unitronics PLCs. BleepingComputer. https://www.bleepingcomputer.com/news/security/hackers-breach-us-water-facility-via-exposed-unitronics-plcs/