Wether you name it an “ICS/OT” attack or “IT” attack, this is not my concern now. My focus now is on the target which can be a water/sewage utility/plant/system. Indeed I’m focusing now on the water industry nothing more or less. Let me tell you why Im writing this article. First of all, I don’t want to repeat what others wrote about the latest water attacks nor do I want to join their debates. I’m interested to learn about the history of the registered water attacks that are available online. So I dug google and found 2 databases that focus on ICS incidents: RISI and ICS Strive.I also referred to a paper on water systems attacks : “A Review of Cybersecurity Incidents in the Water Sector“. This paper covers incidents from year 2000 until 2018. Im not aware of other incidents resources, and thats not an issue because I’m looking to know why (causes) and how (methods) those systems got hacked, you get the idea?. I want to know if there is a repeatable pattern (same issues/techniques) in attacking water systems? So, let’s expose it.
Most of the the 21 years attacks were caused by :  unauthorized remote access due to weak configuration or a vulnerability ,  availability of credentials for employees or ex-employees , due to a bad policy for not changing passwords and deleting old accounts , or due to malpractices that some employees do by helping ex-employees, or in the digital wild – there are many leaked or stolen credentials available for download,  malware or ransomeware- those tools are available online for free or fee and are increasing nowadays.  Many of water system are connected to the internet (low hanging fruits) and can be found using search engines.Attackers in the past found it easy to hack those systems. Looking at the water hacking incidents, I found a peculiar usage of water systems by the attackers,  some used the system for mining cryptos ,  some for bandwidth usage ,  some for data purposes such as stealing or damaging and  others for financial gains. So , it’s not just the attackers are looking to harm the system physically , they can have other means and purposes. Knowledge of multiple tactics/goals is beneficial , in order to keep an open and creative eye on where to look and how .
2020 and 2021 water attacks really didn’t differ in terms of what caused the attacks. I don’t expect them to change , after all we are humans and repeat the same mistakes. . They shared the same method and pattern. So 21 years have passed and nothing has changed ! despite the increase of technical tools , solutions and knowledge in the ICS community. So coming up with new and sophisticated solutions (vendor style) in my opinion wont solve this issue, at least at the beginning. Unless the asset owners take responsibility and start acting actively.The issue now is that either water asset owners don’t care or don’t know how to handle their systems administration and security. A clear policy for an organization has to be established on how to deal with the security matters. Also it has to deal with humans such as insiders, contractors and ex-employees. Many of the incidents during the past 21 years were caused because of human errors and motives.Human attitudes when it comes to risk are repeatable from a cognitive and historical perspective, so they hardly change. The only thing that might change , is if new technologies comes out (such as an improved version of crypto mining) the attackers might apply it on water system. Or if new attacks/vulnerabilities show up.
We can learn practical detection tricks that we learned from the previous water system attacks. Those tricks are based on watching the impact of attacks on water systems. The impact is categorized as : system , network and financial. I haven’t covered the physical impact as it is too obvious to detect, unless your monitors are disabled or manipulated.Physical impacts normally exist at a later stage and often is too late , as most attackers are already in the system for a period of time. Obviously I would encourage you to monitor the logs, some of them are mentioned my list below. My point here is to mention what others have missed or mis-used in the previous 21 years and what can we learn from it. These can be added to your monitoring strategy. Bonus and free tips on how to detect such attacks and intrusions on your water system are:
- Watch the network bandwidth , make sure it’s normal. Admins should be able to distinguish the right time and the right level. There are free and built-in tools for this task.
- Watch computers resources . Make sure that It’s performing at the normal load and at the right time. There are free and built-in tools for this task.
- Check your meter readings/finances . As we saw earlier, companies realized this a bit too late.
- Perform routine admin checks on the system. This require a staff to have basic technical skills at a minimum level. There are free and built-in tools for this task.
- Compare your current bills to your average previous bills. Accountants and finance department have be involved in the process.
We finally have exposed the water hacking world. Whats the take away from this article anyway ? Water hacking is going to continue.I’m not a pessimistic, however I’m trying to be real. Shall we blame the water systems (machine) or blame their operators (Human)? I prefer to take the middle ground and don’t go extreme. Get knowledge about both the water systems and humans. Apply the lessons that are learned from existed attacks on water systems during the past 21 years. Most of their recommendations are basic, straightforward and free.Before spending money on resources , seek out free guides . There are many free guides that were offered by the ICS community. Once you have learned and applied whats applicable to your water systems, you can proceed, progress and seek out solutions and consultants. My message to water asset owners is : It’s time to protect your water infrastructure digitally like you protect it physically.