It was late, and I was about to sit down to read when there is a knock at the door. From the door I notice outside that there are city, fire and police vehicles with their lights on all the way down the street. I was greeted by a local water company employee who immediately showed me his identification. “What’s going on?” I asked. He told me “there’s a problem with the water” he said, “It’s been shut off, if you have any water that came from the tap, do not to use it for any reason” he added. He wouldn’t say more than that and walked on to the house next door.
Having to know more, I turn on the TV to the local news. “News ALERT” was plastered at the bottom of the screen. The reporter currently on camera was stating that there was a “water contamination of unknown origin”. The map that flashed up on the screen showed that it wasn’t just my neighborhood but 2 or three other subdivisions in my area that had no water. I start thinking of the last time I used any water or turn on the tap.
I wake up the next morning and remember the water is off. “No shower” I thought. If that wasn’t bad enough, each toilet in the house had become “single use”.
It was eight days before the water came back on and once it did we were warned to flush out everything that used water including the taps, dishwasher, washing machine, ice maker, anything that used water.
It Can Happen Here
The story you just read is fiction. The scenario however is quite possible.
According to the Register and other sources, in 2016, attackers infiltrated a water utility’s control system and changed the levels of chemicals being used to treat tap water. This could have easily made people sick. What if the attackers were able to introduce something else into the water supply?
Attackers were able to compromise the water company’s computers by exploiting an unpatched, public facing web server. I know what you’re thinking, “how was an attacker able to gain access to critical infrastructure through a customer facing website?”. It actually was not that difficult, as the user credentials for the water control system were found through the compromise of the customer facing website. Along with the corruption of a vital public resource, 2.5 million customers’ personal information were also exposed, so there’s that.
What Do You Rely On?
In the United States, day-to-day life is made possible by 16 sectors of critical infrastructure including;
- Commercial Facilities
- Critical Manufacturing
- Defense Industrial Base
- Emergency Services
- Financial Services
- Food and Agriculture
- Government Facilities
- Information Technology
- Nuclear Reactors, Materials and Waste
- Transportation Systems
- Water and Wastewater Systems
A disruption to any of these systems, can have significant and even catastrophic consequences for our nation. Week 4 of Cyber Security Awareness Month emphasizes the importance of securing our critical infrastructure and highlight the roles the public can play in keeping it safe.
That’s Scary But What Can I Do?
The primary concern is not whether it is nation states or hacktivists (hacker-activists) attacking our infrastructure. The problem is that it’s being attacked and if you knew to what extent, it would be downright disturbing.
If you are an employee of a company that falls into one of these 16 critical infrastructure domains, then you are most likely already engaged in a training program to help your company stay safe. If not, you should be asking why.
If you’re like most people, and you don’t work in or around one of these industries, you might be asking yourself, “what can I do?”. The answer is what you would expect: “If you see something, say something”. If your bank’s website is acting strange, contact support and let them know. Pay attention to your surroundings. If you notice something or someone looks out of place, let someone know.