In a recent cyberattack, water utility hackers were more interested in nabbing free cellular bandwidth than in interrupting water service.
A Department of Homeland Security (DHS) intelligence briefing published last month indicated that in a cyberattack on a water authority last year, the aim of the attack was to “steal valuable internet service, and lots of it,” according to a Circle of Blue report, which cited sources with knowledge of the briefing.
The hackers took command of the water authority’s cellular routers, the news report said. The infiltration caused the authority’s cellular data bill to soar from around $300 per month to over $53,000.
“The utility was not named in the report. This much is known, though: The intrusion did not damage utility infrastructure. Instead, the hackers took advantage of it. They seized control of Sixnet BT series cellular routers that were designed to provide secure wireless access for monitoring the utility’s dispersed collection of pumping stations and other sites... Four of the utility’s seven routers were compromised,” the report said.
Kevin Morley, security and preparedness program manager with the American Water Works Association, provided insight on the attack.
“I don’t believe they were targeted because they are a water utility. This seems like an opportunistic action to ‘steal’ bandwidth from a system to which they gained access,” Morley, who saw the federal report, told Circle of Blue.
“Most cyberattacks on water utilities do not result in damaged pumps or unhealthy levels of chlorine in the water supply. Instead, the motivation is often money, Morley reckoned — free internet by tapping an unsecured router or the possibility of a ransom by holding email servers hostage,” the report continued.
In recent months, federal officials have been urging water utilities to pay more attention to the threat of cyberattacks.
“This will become a greater issue in the future, as more water systems try to cut costs by moving toward full automation,” BNA Bloomberg reported, citing federal aides.
The U.S. EPA and the DHS are trying to assist small water systems in this area. They are creating new training materials that could be especially useful for small, rural systems without adequate resources, according to the report.
Helen Jackson, who works with the DHS Office of Cybersecurity and Communications, pointed utilities to tools prepared by the National Institute of Standards and Technology focused on assessing cybersecurity risks.
To read more about avoiding cyberattacks at utilities visit Water Online’s Resiliency Solutions Center.
"hacker-1," iaBeta © 2017, Public Domain: https://creativecommons.org/publicdomain/zero/1.0/