In November 2018, the New York Times published an opinion piece titled “A Perfect Target for Cybercriminals.” From that title, you’d think the article was talking about our home computers, phones, TVs or other electronic devices. It was actually referencing America’s water supply systems. While hacking a water supply might seem like a dark subplot in a film about a dystopian future, there have actually been multiple reports of hackers infiltrating American water system networks from Michigan to North Carolina in recent years.
According to a March 2018 report from the Department of Homeland Security, “Since at least March 2016, Russian government actors…targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.” This week, we’re looking into a couple of the known breaches, how the companies involved chose to react and how the government is acting to keep American families—and their water supplies—safe from foreign interference.
Which Water Systems have been Affected?
Fortunately, there have been no known threats to any Nebraskan water systems as of the writing of this blog. However, multiple states have encountered threats to their water infrastructure since 2016. A quick Google search turned up results from multiple news sources, but a few of the articles declined to name the areas affected due to either customer confidentiality agreements or fear that they would be retargeted. Two of the most significant cases we found took place in Lansing, Michigan and Onslow County, North Carolina.
Lansing Board of Water & Light Breach
In Lansing, the Board of Water & Light was targeted through a spear phishing campaign in which an unnamed employee opened an email attachment containing a ransomware virus. The virus then locked the company’s email and accounting systems, demanding a ransom of $25,000 in bitcoin currency. The Board of Water & Light paid the ransom after two days and incurred extra costs due to cyber forensic searches, replacing one infected server, introducing new cybersecurity upgrades and cleaning and testing 700-800 laptops, desktops and servers. In all, the total cost of the breach was around $2.4 million. Luckily, officials from the company saw that no personal data was recovered, and hackers were unable to gain access to any critical utilities.
Onslow County, North Carolina Breach
The case in Onslow County, North Carolina was even more disastrous. ONWASA—a water utility company which provides services to all of Onslow County except Jacksonville—had its internal computer systems attacked by ransomware which left them with limited computer capabilities. While customer information was not compromised, some databases had to be remade from scratch. The company is working with the FBI, Department of Homeland Security, state of North Carolina and several technology security companies to figure out the source of the issues. Officials believe ONWASA was targeted because it was left vulnerable in the wake of Hurricane Florence. As of Oct. 15, 2018, the company stated it would not pay the ransom demanded by the cybercriminals because it will not “negotiate with criminals nor bow to their demands,” opting to rebuild its programs instead.
Government Action Against Hackers
The report from Homeland Security may have outlined what’s been happening, but what’s being done about it? Unfortunately, not much. The National Institute of Standards and Technology has made tools available to help assess security risks and U.S. federal officials have urged water utility companies around the country to scrutinize and update the cybersecurity they have in place, but so far, no steps have been taken on a national scale. Only time will tell whether or not utilities heed the warning that their security is at risk.
Keep up with the Quality Water Services blog to stay informed about all things water-related. If you’d like to take action on the security of your family’s water supply, consider a soft water treatment system. QWS would be happy to test your water and provide a consultation, and we’re just a phone call away!