Cyberattacks on environmental facilities---incidents and reflections
1986-01-01 00:00:00
The Computer Fraud and Abuse Act (CFAA) ---federal anti-hacking law
Enacted as an amendment to 1984 Comprehensive Crime Control Act. CFAA criminalizes the act of "intentionally accessing a computer without authorization", and was originally enacted by Congress in 1986 to combat various forms of “computer crime.” At that time, this was largely understood to cover “hacking or trespassing into computer systems or data.” Allowed civil and criminal cause of action.
2000-03-02 23:02:27
Individual revenge hack causing grave raw sewage spill, Maroochy Shire, Queensland, Austrilia
Vitek Bode, past supervisor of SCADA system (insider attack),after his job application was rejected by city council, conducted a series of electronic attacks on the Maroochy Shire sewage control system, causing millions of litres of raw sewage to spill out into local parks, rivers and even the grounds of a Regency hotel. Marine life, creek water quality and residents' health endangered. The hacker was sentenced with 2 years' imprisonment.
2002-11-25 00:00:00
Critical Infrastructure Information Act of 2002 (CIIAct)
The Act regulates the use and disclosure of information submitted to the Department of Homeland Security (DHS) about vulnerabilities and threats to critical infrastructure. Importantly. It created Protected Critical Infrastructure Information (PCII) Program to protect private sector infrastructure information voluntarily shared with the government for the purposes of homeland security, which enhanced the voluntary sharing of CII between infrastructure owners and operators and the government. The PCII Program protections provide homeland security partners confidence that sharing their information with the government will not expose sensitive or proprietary data.
2007-08-15 00:00:00
Current employee hacked operating system and diverted irrigation water flow, Willows, CA, USA
Tehama-Colusa Canal Authority (TCAA) consists of 17 water contractors and operated two canals---providing irrigation waters to federally-owned local farms. Michael Keehn, 61, former electrical supervisor at the TCAA, installed unauthorized software and damaged the computer used to divert water from the Sacramento River to the 306 local farms. The canal and diversion was manually fixed, still the breach caused TCAA more than $5,000 in damages. Michael Keehn faced ten years' imprisonment and a fine.
2008-05-01 00:00:00
Prior Employee disabled off-shore oil platforms' leak detection system, LA, CA, USA
Mario Azar, 28, prior information technology consultant under contract with the Long Beach-based Pacific Energy Resources, Ltd. (PER), founder of the hacked computer system, but later denied a permanent job offer and fired in May 2008, illegally accessed the PER computer system, shut it down for a while, and “caused damage by impairing the integrity and availability of data. Malicious programed were applied on the system, no environmental hazard generated, still caused thousands of dollars in damages according to the complaint. Faced charges with maximum 10 years in federal prison, finally sentenced to probation for 5 years, with restitution required and community services.
2008-05-01 00:00:00
Water Filtering Plant hacked with virus, Harrisburg, Pennsylvania, USA
Systems were accessed in early October after an employee’s laptop computer was compromised via the Internet, and then used as an entry point to install a computer virus and spyware on the plant’s computer system. FBI investigation concluded the hacker to be located outside of the US, and did not appear to target the actual plant---rather, merely intended to use the computer to distribute emails and other information. Nevertheless this breach could have altered the concentration levels of disinfectants in the potable water and posed danger to human health.
2011-09-07 23:02:27
Hackers destroyed water pump for clean water (false alarm?), Illinois, USA
The Illinois Statewide Terrorism and Intelligence Center (STIC) claimed a hacker with a Russian IP address caused a pump providing clean water for residents to burn out, by being repeatedly turned on and off. Alleged hacking started in September. The FBI and the DHS, after carrying out "detailed analysis" of the issue, opined that they could not confirm the intrusion, and that "there was no malicious or unauthorised traffic from Russia or any foreign entities, as previously reported." Conflicting narratives regarding origins of hackers from two government agencies could be confusing, while the incident certainly raised concerns about vulnerabilities of water utilities. Cry-wolf effect and public anxiety posed.
2011-11-08 23:02:27
Water utility control system easily hacked, South Huston, Texas, USA
Hacker named "pr0f" accessed the control system for the water utility, posted a document to the Pastebin website with screenshots of internal control systems, exhibiting the ability to penetrate the system. Hacker claimed only cracking a three-character password was required for the hacking. South Houston's Water and Sewer Department made no comment on the alleged ability.
2012-03-15 00:00:00
Former CFO hacked water treatment system for fellow workers' personal info, FL, USA
Former CFO of Florida’s Key Largo Wastewater Treatment 341 District illegally accessed the district’s computer system to download emails and other personal documents, after a non-renewal of employment contract. CFO later arrested and faced felony charges. Hacking was limited to IT system and detected in time by routine check of corporate email system. Second authentication step recommended for accounts management.
2013-03-15 00:00:00
Iranian hackers hacked Bowman Avenue Dam and obtained operating information, Rye, New York, USA
Iranian national Hamid Firoozi infiltrated the Bowman Avenue Dam, gathered information on water levels, temperature, and the status of the sluice gate---one key component of the dam controlling remotely water level and temperature of the creek. Cellular modem applied. Luckily the dam’s sluice gate had been manually taken offline for routine maintenance, thus no real control of the gate was lost, and the hacking was not strictly an intrusion but rather a reconnaissance (where the attacker gathered information on a potential target by looking for publicly available information on the Internet).
2015-04-07 23:02:27
DEFRA's air-quality website hacked by Islamic hackers,
Islamist hackers seized control of the UK government's official air-quality website, exhibiting a large portrait of the former Iraqi dictator Saddam Hussein, allegedly to send a message criticising Britain for its role in the invasion of Iraq in 2003. Hacker Moroccan Islamic Union-Mail functions quite like the Islamist version of the Anonymous.
2016-03-01 00:00:00
(Disclosure) Kemuri Water Company (pseudonym), (place unidentified), USA
An undisclosed water utility hired Verizon Security Solutions to conduct a proactive cybersecurity assessment of its OT (distribution, control, and metering) and IT (personal and billing information of customers) systems. Verizon found that KWC had a poor network and security architecture, with unsecured and out of-date systems (AS400) plagued with known exploitable vulnerabilities and legacy operational technology (OT) systems, making the utility’s valve and flow control application vulnerable, especially to state-sponsored hacktivists. Following investigations found unauthorized withdrawal of 2.5 million unique records and manipulation of chemicals and flow rates; related systems were shut down immediately before further compromise or information leak.
2016-11-03 05:08:24
Abnormal cellular data bill increase in one drinking water utility, USA
(Location unidentified.) The authority was hacked between November 2016 and January 2017, with 4 of its 7 routers (providing wireless access for monitoring utility's pumping stations) compromised. Hackers aimed to steal internet bandwidth, causing a 15,000% increase of cellular bills. No infrastructure nor physical harm was caused. Failure to install patches should be alarming.
2018-10-10 00:00:00
Ransomware virus attack on water authority, Jacksonville, North Carolina, USA
Onslow Water and Sewer Authority, a water utility company was targeted by cyber-criminals in October of 2018, timed right in the wake of Hurricane Florence. After the first round of EMOTET virus attack locking out employees and encrypted databases, the authority approached to outside security experts for response; then the second round of RYUK virus attacked started, triggering the authority to disconnect facilities from the internet. Here the attack was understood to be a target one because of the timing right after a natural disaster and that virus was lunched at 3am on Sat. (most vulnerable time.) The State, FBI, DHS and multiple security firms collaborated in the investigation; the authority dismissed the offer to pay the ransomware. Brand new IT systems were planned to be built from scratch.
2018-11-16 00:00:00
Cybersecurity and Infrastructure Security Agency Act of 2018
This Act amends the Homeland Security Act of 2002 to redesignate the Department of Homeland Security's (DHS's) National Protection and Programs Directorate as the Cybersecurity and Infrastructure Security Agency. It transfers resources and responsibilities of the directorate to the agency.
2019-02-11 00:00:00
Ransomware attack caused employees failure to access technical data, Colorado, USA
Fort Collins Loveland Water District (serving customers in parts of Fort Collins, Loveland and three other counties in Colorado). On Feb 11, staff reported failure to access technical and operational data, revealing the ransom attack. The District declined to pay the ransom and managed to unlock the data within weeks later. District decided not to notify its customers about the attack, for no customers' data was leaked because it then did not store any such data. Data segmentation and segregation were proven to be protecting security.
2019-05-29 18:05:05
Ransomware attack on police department impacted water utility, Riviera Beach, Florida, USA
Police department employee opened an infected email which paralyzed computer systems of government offices---including that of the water utility. Computer systems controlling pumping stations and water quality testing, payment operations were compromised. City Council alter through voting decided to pay the ransom/65 bitcoins. Still after the payment, part of water pump stations and water quality testing systems are only partially available. City later invested huge amount replacing existing hardware, but the network was still not updated and patches were not installed in time.
2020-08-13 00:00:00
Ransomware attack against water utility company, California, USA
Cyber-attack against Camrosa Water District (the company) that resulted in data on certain devices becoming encrypted. Also revealed unauthorized access to files on the company's file servers between August 20, 2019 and August 13, 2020. Such breach led to the potential leaking of SSN numbers and financial information of the customers.
2021-02-09 00:00:00
Suspicious data flow detected in small water utility ICS-CERT 2016, USA
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) called to deal with suspicious network traffic data of a small water utility. Agency then started an investigation and launched methods such as whitelisting and reverse engineering trying to identify the attacker, breach point, data compromised and future mitigation strategy.
2021-02-09 00:00:00
Hackers attached water treatment facility and raised level of chemicals, Oldsmar, Florida, USA
Hackers (allegedly from Syria), by gaining unauthorized access to web server, changed the levels of sodium hydroxide (NaOH, commonly known as lye) used to treat tap water to hundreds times higher. The operator detected such change and fixed the chemical level back to normal standards before any tangible harms were made. (The chemical is the chief ingredient in liquid drain cleaners, highly corrosive and can cause irritation to the skin and eyes, along with temporary loss of hair. Swallowing it can cause damage to the mouth, throat, and stomach and induce vomiting, nausea and diarrhea.)