Recent news draws our attention to the vulnerability of our water distribution and treatment systems.
First, seven people employed by two Iranian-based computer firms with ties to the government and the Islamic Revolutionary Guard Corps were indicted as part of a denial of service campaign against 46 victims, including an intrusion into the Bowman Dam systems in Rye, N.Y., in 2013. The breach allegedly allowed suspects to obtain operational information on the dam to include remote, manual control over water levels and flow rates. Luckily the suspects were unable to exert those controls because the system had been taken offline for maintenance, prosecutors said.
Secondly, the FBI was contacted in early March to investigate a cyberattack on Nevada’s Clark County Water Reclamation District’s computer system. The hackers demanded a ransom.
Finally, the Verizon RISK (Research, Investigations, Solutions and Knowledge) Team has just released its 2015 Data Breach Investigations Report which delves into 18 actual cybercrime cases which they investigated. These case studies were chosen to represent the most common and destructive types of incidents that RISK has seen over the last eight years. Scenario #8 profiles the hack of a multi-county water utility’s IT and OT (operating technology). The name of operator was changed in the report to protect the organization’s identity.
The water utility stated at the onset of the project there was no evidence of unauthorized access and that Verizon was invited simply to conduct a proactive assessment.
The findings demonstrated a very different situation:
A number of vulnerabilities in internet facing applications
Antiquated computer hardware running operating systems from ten-plus years ago
Unexplained pattern of valve and duct movements occurring over the previous 60 days
Evidence of communications with known threat actors
Customer education and awareness programs to help mitigate panic
Active communication soliciting public support in reporting unusual activity or water quality changes
Public education regarding specific examples of suspicious behaviors and details about the potential threats.
Communication of how best to respond to utility advisories
As for soliciting public support on suspicious activities specifically related to water incidents utilities, the USEPA recommends these as examples:
1) People dumping or discharging material to water sources.
2) People climbing or cutting a utility fence.
3) Unidentified truck or car parked or loitering near a waterway or facilities
for no apparent reason.
4) Suspicious opening or tampering with manhole covers, buildings, or equipment.
5) People climbing on top of water tanks.
6) People photographing or videotaping utility facilities, structures or equipment.
7) Strangers hanging around locks or gates.
8) Vehicles other than fire trucks hooked up to hydrants.
A well-informed public is an asset in that they are less likely to panic in the case of an emergency. A clear understanding of the risks and water utility response involved in a potential contamination emergency will result in a rapid and more ordered response - even if only a small percentage of the population is reached.
The MuniApp LLC management team has been a trusted outsourcing partner with municipalities since 1996, providing customer service, meter reading and field services. With our proven technology, management and data analysis skills we have delivered significant monetary value for utilities and their customers. Visit us at www.muniapp.net and see the customer engagement application we are deploying in the U.S. and South America.