Water Utility Hacking 101

Picture of Waterfall team

Waterfall team

Water is life! Water is probably the most important resource for maintaining society and order. It’s easy to take for granted and often dismissed as an easily attainable resource. But when push comes to shove, just a few short days without running water would start to have a profound negative effect on society and economies.

Securing water supplies is important, both practically and symbolically.

Here are some important aspects to consider when securing a water providing utility:

What are the cyber-risks for a Water Utility? 

The idea that hackers will somehow hack into a water utility and poison the water supply is for Hollywood movies. In reality, there are too many physical constraints that make such a hacking goal impossible, including the fact that workers manually check the water before it is released for tap use.

If a hacker did try and poison the water supply, they’d probably just cause a large batch of water that needs to be dumped or diluted.

Want to learn how to secure your water facility?

Get our EPA Checklist Critical Water Infrastructure

Get the full checklist

So, what is the REAL risk to a Water Utility?

There are many more risks that are much more dangerous than poisoning the water supply. Most ongoing operations in Water Utilities consist of orchestrated and automated systems, without a realistic option of switching to full manual operation.

If an attacker comes along and simply disrupts the industrial process in any way, it creates a huge mess! It costs lots of money to keep everyone working overtime to fix everything, and then there is still the issue that they have to do something with all the water. Hackers might also compromise physical systems in a way that can break pipes and pumps, which can cost a fortune to fix.

Many of these kinds of attacks are NOT THAT technically complex, but can cause huge physical damage as a consequence.

The 2 Stages of an ICS cyber-attack:

Stage 1 is when the hacker passes the cybersecurity defenses, either physically, socially engineered, or any way of getting past the firewall.  This 1st stage of the attack includes finding vulnerabilities and exploiting them and would most likely resemble a run-of-the-mill cyberattack on an IT department. Once the hacker is able to get past this part, they’d use that access to then progress into the OT system.

Stage 2 is the actual cyber-attack that the hacker carries out in the Industrial OT environment, often called “The Payload”. So far, 99% of cyberattacks on Water Utilities are usually attempts to encrypt systems for a ransom, or to exfiltrate sensitive data. Only rarely do the attacks introduce malware into the utility’s systems because industrial control systems are very unique, and the hacker(s) would have to be very familiar with each specific system to write a malware script that would work.

So the big new risk in the near future, is that hackers could use an AI (like ChatGPT) to help them write a malware script that the hacker would then inject into a water management facility’s OT, which can then break pumps, rupture pipes, or cause other physical damage that is costly, and will disrupt the water supply for days, weeks, or even months.

Water is a critical infrastructure for other critical infrastructure, such as hospitals and factories. Hackers might target a drinking water plant, with the goal of disabling another target which is using that water, not the water plant themselves -which constitutes a supply-chain attack.

Even though these new AI-driven capabilities seem to be focused on Stage 2, it greatly incentivizes more Stage 1 efforts as hackers will now have what to do once “they’re in”.

Historically, many water infrastructure facilities found comfort over the years in the fact that while their system might get hacked, the hackers would have nothing to do once inside their system, as the obscurity of their system made delivering a custom payload nearly impossible without a large team in place. That comfort is now longer afforded to water facilities.

Want to learn how to secure your water facility?

Get our EPA Checklist Critical Water Infrastructure

Get the full checklist


Stay up to date

Subscribe to our blog and receive insights straight to your inbox