Abstracts of these resources are available in the searchable Information Portal offered to Northwest Biosolids members.
1. Florida hack exposes danger to water systems
2. Cybercrime, cybersecurity and water utilities
3. A Review of cybersecurity incidents in the water sector
4. Cybersecurity protection for power grid control infrastructures
5. Protecting water and wastewater utilities from cyber-physical threats
The topic of the library this month is cyber security or the flip side of cyberattacks. This is typically something we associate with spy novels, the CIA, and 007. Not the stuff associated with Class B Cake. But a recent cyberattack on a water system in Florida (article #1) suggests that this is something we should at least put on our radars. If this were to happen and succeed, I would suggest that the ramifications for human health might be even greater than those associated with microplastics or PFAS. So read this blurb and even the articles and you can pretend you are reading a Le Carre novel. However, make sure a piece or part of what you read plants a seed in your brain. You can let yourself envision yourself as the next Bond, fighting off evil. In fact, I am sure many of you reading this bear a striking resemblance to the Bond pictured below.
The first article in the library is a news article that describes the attack this past February on a small-town water supply in Florida. An operator noticed that the cursor on his computer had a mind of its own. The computer system had been taken over by hackers or a hacker who increased the dosing of NaOH to 100x the normal dose. Drinking lye is not associated with any health benefits that I am aware of. The operator quickly corrected this back to normal and notified his superior. This incident let to an increased awareness of this potential threat. The article noted that the hackers could be anyone, from cybercriminals to terrorists to disgruntled employees.
The second and third articles in the library take us from the specific case of the community in FL to the more general threat posed by cyber crimes to water and wastewater utilities. The first article notes that attacks are becoming increasingly common and that international actors can be responsible. The authors note that there sometimes state (other nations) actors involved and that the primary goal is to decrease trust of the utilities. The attacks typically occur by spear phishing. That means an innocent enough looking email with a link that is clicked on by an unsuspecting employee. Think of special ways to lose weight, new friends, amazing deals and investment opportunities. Once that employee clicks the link malware enters the system. The software can be sophisticated enough that it can take over frequently visited and legitimate websites. According to article #2, there have been a number of Russian sponsored attacks on our water and wastewater systems since 2018. The Department of Homeland Security reported 25 cyberattacks on water utilities in 2015. Article #2 goes on to discuss ways to enhance security- also the focus of articles #4 and 5.
Article #3 notes that it may be time for utilities to start hiring people to monitor for and put in safeguards against cyberattacks. Move over source control! While similar to article #2, this piece goes into greater detail and is more quantitative (not as easy to read). The article starts by reviewing the typical computer systems used by utilities, or industrial control systems (ICS). These include devices that control pumps and sensors, all connected through a master terminal unit. All of this is illustrated in the diagram below. It talks about how systems are integrated and how they are vulnerable.
This continues to read more and more like a spy novel. There is a discussion of how an attack can progress and the kill chain, how an attack is adjusted based on the success or failure of the different stages of each step of the effort. Then there is a section on how to prevent attacks. Here is the table on that:
Finally, there is a section where individual attacks are described with a response and lessons learned for each.
THIS IS THE PAPER TO ASK FOR IF YOU ARE CONCERNED ABOUT THIS STUFF.
The 4th paper provides a detailed description of the structure of a power grid and provides multiple methods to stave off attacks. This approach can be adapted (according to the authors) to function for other grid -based systems such as water and wastewater. It too appears to be thorough and something you would give to someone in your organization who speaks this language.
The final paper in the library is focused specifically on protecting water and wastewater utilities from cyber and physical threats. It gives examples of three specific hacks including one to a water utility in Australia that resulted in release of untreated sewage over a 2-month period. The paper talks about national efforts in the US to prevent attacks and provides some general guidance. This is like an intro review paper. Easier to digest than #s 3 and 4 but not as much information.
So maybe pick up a spy novel over the holiday break. Perhaps catch up on some Bond movies. But if you want to take your work home with you these may be the articles for you. Next year we can get back to microplastics and nutrients, but here is some fascinating stuff that I wish was just in the world of big screens instead of potentially in our world of big pipes and pumps.