What can ransomware do to your water?
BY KERRY TOMLINSON, AMPERE NEWS
August 24, 2022
Ransomware gangs are stalking companies around the world, including water plants that bring you your drinking water.
In the latest case, they hit a water company in the United Kingdom. What happens if they try to hold your water company hostage?
Watch here:
Major Mistake
A cyber gang known as Clop claimed it infiltrated Thames Water --- the water supplier for London, England -- and found what it said are terrible things.
"This company is all for money and not deliver reliable service," the gang said. "They lost way when only concentration on finance."
But the stolen data showed it was not Thames Water, but actually the smaller South Staffordshire water company serving 1.6 million people further north. Still, the gang caused problems for the smaller company, including disruptions in the corporate network.
South Staffordshire said in a statement that they managed to keep the hackers from affecting the actual water systems.
"This incident has not affected our ability to supply safe water and we can confirm we are still supplying safe water," the statement said.
But that doesn't mean things will flow smoothly if a ransomware gang attacks your water company, especially since these utilities tend to have less cybersecurity than other critical services like electricity and gas.
Ransomware in your water
Cyber gangs may not know they have a water company in their sights when they first hack the company, looking to launch ransomware that scrambles your files and makes it impossible to use computers.
"Ransomware does not know what a water system is," said Carter Manucy, information technology/operations technology and cybersecurity director at Florida Municipal Power Agency. "It doesn't know where it is when it lands a lot of times."
"It does its thing, it puts a message on the screen says, 'Go do these, do this function, pay this money, we'll get out of your hair, we'll be on our merry way,'" he added.
That sounds like it could be good news. If they don't know they're in your water system, your water could survive unscathed. The ransomware could stay in the office computers and not affect the computers that treat and deliver water.
Unfortunately, not always.
Ghost in the machine
The ransomware can shut down the machines that help people see important functions like chemical levels in the water, how pumps are operating, pressure levels to prevent accidents --- crucial information they need to run the system.
"That's what we lose," Manucy said. "So when that machine goes down, you don't know what's going on. It might as well be invisible to you."
Companies can still run your water and keep it safe, even when they can't see this info. But it could be much more difficult, especially over a long period of time.
Also, the criminal gang may soon learn that they have a water system on the hook and could put on more pressure to pay up, especially during a drought, for example.
Ransomware gangs attacked water companies in Nevada, Maine and California in 2021.
Motivations
Most gangs like these deal more in data and money than in trying to poison people or withhold their water. In the case in Britain, the gang says it would reveal private information and emails if the water company doesn't hand over the money.
From time to time, attackers will show an eye for evil.
In a famous case in Oldsmar, Florida, last year, someone hacked into a water company and tried to increase chemicals in the water to dangerous levels. Operators saw the problem and shut it down. In addition, there is testing to prevent poisoned water from reaching people.
Side doors
How do they get in?
"I'd say the easiest way is remote access," Manucy said.
Many water companies have older equipment, not enough staff to protect everything, and not enough money to change.
Setting up remote access to their systems helps them get more done, more efficiently, but also gives cyber crooks a path in if there's not enough protection.
"Every time we try to make these things simple, a lot of times it backfires and makes them simple not only for us, but simple for everybody else as well," Manucy said.
Crime gangs also send phishing emails to company employees to trick them into clicking on a poisoned link or giving up the passwords to their accounts with fake login pages.
What now?
Carter says water companies should do things such as:
---Identify the old equipment .
---Make a plan to upgrade it so they're not dependent on it.
---Make back ups of their data so ransomware doesn't shut them down.
---Have everyone use multi-factor authentication, an extra log in step so if attackers steal your password they still can't get in.
For now, ransomware probably won't dry up your water or leave you with a cup of high-chemical cocktail, but it could still leave a mark. Like bigger water bills.
"Probably a bill like from the response from the utility having to upgrade all their systems because they can't repair them. And now that system is gone. And they have to replace the whole thing," Manucy said.
"We need to change all of us together and do things differently in order to move on and do a better job," he said.
Keep an eye out for emails that ask you to click on links or send you to a login page that could be used to steal your passwords.