Do You Think Your Drinking Water is Safe from Cyberattacks?
We have seen multiple attacks in the last few years on municipal water supplies. The good news is that none of them killed anyone. Mostly, that was just because we were lucky.
A bug in a TLS certificate (used to implement HTTPS) allowed researchers to view the water system control panel in hundreds of public water systems and change parameters in dozens of water systems.
While viewing the water systems control panels might give hackers intelligence that could lead to a future cyber attack, their ability to change parameters could kill people.
For example, if you significantly increased the amount of chlorine in the water you could turn the water supply into poison. On the other hand, if you decreased the amount of chemicals or other parameters, pathogens could slip through and make their customers sick.
In general, this is the reason that most public water supplies virtually continuously monitor the state of the water. For the systems that don’t automate the testing, they have to run the tests manually multiple times a day.
Besides that, potentially, a hacker, if they knew what they were doing, could possibly damage the equipment causing the system to shut down. We have seen proof of concepts of this form of attack.
The researchers were able to identify the specifics of what water systems they were looking at by looking at the code in the web page they were seeing.
In this case, the researchers found 40 public water supply systems completely unprotected. This rightfully freaked the researchers out and they immediately notified the EPA and the manufacturer of the software.
Unimpressively, after nine days, a little less than a quarter of the systems had been locked down. After a month a little more than half of the systems locked things down. By last month, more than 6 months after the EPA was notified, most, but not all, of the systems were locked down. They are not saying which cities did not get with the program.
This is not a theoretical problem. Last year pro-Russia hackers demonstrated they could do it.
Public water supplies are only one example of critical infrastructure that is not protected. Countries like Russia and China are continuously looking to find an opening. When they find one, they may just catalog it for later use. They do not call the EPA. Credit: Security Week
by 