Two incidents reported last week by European leaders have once again spotlighted one of the most unsettling forms of politically motivated cyber malfeasance: attacks on local water facilities.
First, the director of the Norwegian Police Security Service, Beate Gangås, said that Russian hackers are likely behind suspected sabotage at the dam at Bremanger on Lake Risvatnet, in western Norway, that took place in April, with the saboteurs opening one of the dam’s valves to increase water flow. According to press reports, the valve was open for around four hours but posed no danger to the surrounding areas.
The next day, Poland Deputy Prime Minister Krzysztof Gawkowski, who is also the country’s digital affairs minister, said that a large unnamed Polish city could have had its water supply cut off that week due to a cyberattack. The attack, which Gawkowski insinuated came from Russian hackers but offered no further details, was somehow foiled.
Both reports came near the eve of Donald Trump’s meeting with Russian President Vladimir Putin in Alaska to discuss the war in Ukraine, an event that caused fear and suspicions throughout European capitals. As politically advantageous as it might seem for politicians to raise the specter of Russian cyberattacks, experts say these incidents raise legitimate concerns over Russia’s aggression against this most unprotected component of the critical infrastructure sector.
“The Russians do often use these easy-to-execute attacks to poke and prod,” Jake Braun, former White House acting principal deputy national cyber director and now executive director of the Cyber Policy Initiative at the University of Chicago, tells CSO. “Most of the Russian experts I know say that this has been their modus operandi for decades, if not centuries. They poke and prod, but that is just a prelude to future, far larger attacks.”
Experts suggest that water utilities in the US and Europe should view these incidents as early warning indicators, and they should redouble their efforts to create and update their cybersecurity defense capabilities.
Pro-Russia Z-Pentest Alliance linked to the dam attack
A video posted on Telegram purports to show the April attack on the Norwegian dam. Ron Fabela, director of industrial cybersecurity at ABS Consulting, who stumbled on the video in April, says it is typical of the Z-Pentest Alliance, a group that might be of Serbian origin but is considered a pro-Russian operational technology (OT) threat actor.
The video shows the attackers fiddling with the dam’s controls on a human-machine interface (HMI), fumbling around to change the water flow and level, and ending with a final view showing the manipulated state of the system with background music from a Russian punk rock group.
As was true of a series of similar attacks by likely young Russian amateur hackers in the US, the dam attackers didn’t know what they were doing and made a lot of mistakes. “The one thing I found funny is one of these set points is a percentage, and obviously they didn’t read that, so they initially tried to put in 999% and the system, being smart, was like, no, that’s dumb,” Fabela tells CSO. “That falls in line with my hypothesis that these folks don’t understand the systems they’re interacting with.”
Although Norwegian officials attribute the attack to Russia, Fabela doesn’t think there’s a direct nation-state connection involved. “Their actual nation-state hackers, like our equivalent of the CIA, don’t boast about it on Twitter and Telegram,” he says.
However, Braun thinks the Kremlin’s involvement can’t be discounted. “Russia has this kind of symbiotic relationship with criminal organizations that it uses as cutouts,” he says. “Just because this may look like a bunch of kid hackers who are just messing around, that doesn’t mean that the Russian government does not totally sanction this.”
Attribution for the averted Polish cyberattack is not easy, given how little information the government has released. Fabela points out that there was no chatter about attacks on Polish assets on Telegram or other communications channels aside from “your normal DDoS stuff, which happens all the time,” he says. “If I were a threat actor and I almost shut off the water, I don’t think I’d be bragging about it either.”
Water utilities should remain vigilant
Although most water facility operators have received repeated warnings over the years that they are desirable targets for Russian, Iranian, and Chinese threat actors, experts say these latest incidents underscore the need to remain vigilant and step up security efforts.
If water assets owners have “any kind of control system online, it shouldn’t be because it’s at risk for eventually one of these threat actors to do a drive-by and do a video and make a lot of fuss about it,” Fabela says.
This kind of message is more likely to spur water utilities toward action because “most of them I’ve talked to are more worried about the call from the FBI than they are about any impact,” he says.
The University of Chicago’s Braun thinks the chronically underfunded water utilities should start seriously exploring how to fund more cybersecurity help, “whether that is hiring a CIO or bringing on a consultant to do something to improve their cybersecurity,” he says.
For those who can’t manage to raise the funds, there are resources in the US, such as the DEF CON Franklin project, which Braun also spearheads, that provides free volunteers and cybersecurity tools. “We’re free, and we’ll always be free and happy to help advise water utilities on how they can secure themselves,” Braun says.
For utilities located outside the US, Braun recommends the Cyber Peace Initiative, which also offers free resources to utilities.
No matter how they work it out, water utilities must start paying closer attention to cybersecurity. “Water is one of the most important kinds of life-maintaining critical infrastructure sectors,” Braun says. “It is the one that is both the most essential and at the same time least protected.”
No Responses