Bad News: Hackers Are Coming for Your Tap Water

Foreign attacks on Kyle Wilhoit’s online decoys suggest that municipal pumps are easily violated.

<a href="http://www.flickr.com/photos/42925588@N00/5502509549/in/photolist-9oeNoi-doE2CR-ijaGy-feLWW-5LvjnP-86FXAe-21CiT-6E5PZ6-25nrc-e1gpum-7JcD6K-8ZEYGF-6ygQpZ-y7WZH-3gvP9w-afaihp-aerAtv-7jufdT-mWTJt-8oWWCk-2u6twe-6e1Bmx-8hMrM-3rejye-7Xsg24-5mueWc-4eFex-4qMx-4qMw-6aQLa-8smuq4-7kCNd-5743m9-5QUGp-9F2hSC-9h25Dv-cZFpXU-dpswLz-6ThcUT-oCxid-dP4qP8-aeuuGy-dCQ4bb-66Wh4f-3ZZAAe-Q2TL-EazCN-bFCSNc-5eRWXr-96N9yk-75CnzW">Wayan Vota</a>/Flickr

Fight disinformation: Sign up for the free Mother Jones Daily newsletter and follow the news that matters.


Kyle Wilhoit, a 29-year-old Missourian working for a cybersecurity company called Trend Micro, has spent the last year building fake water plant control systems that mimic the online control systems used by real American utilities. Dubbed “honeypots,” these sorts of decoys are deployed to draw in the ill-mannered beasts of the internet—malicious hackers.

Wilhoit’s traps appear to be working. Hackers employing a software tool used by the Chinese army—as well as hackers that appear to originate from Russia, Palestine, Germany, and other countries—have been breaking into Trend Micro’s phony US water systems. In some cases, they have gone so far as to steal files so they can access the systems again. They also have gained access to imaginary pumps, which in a real scenario would allow them to modify water pressure, temperature, purification level, and even shut off the flow entirely.

“What would the Chinese army want? Do they want to contaminate US water plants?”

“Everyone has talked of [these systems] getting attacked, but I wanted true numbers to prove the attacks were occurring,” says Wilhoit, who presented the report of his company’s findings at the Black Hat conference in Las Vegas last week. “I was expecting typical drive-by automated attacks, but never dreamed of having a true targeted attack.”

Matthew Rhoades, a cybersecurity expert and director of legislative affairs for the Truman National Security Project, told Mother Jones that he’s “not totally surprised” by the report, given the past allegations of foreign entities attempting to infiltrate America’s critical infrastructure. (In May, for example, the Wall Street Journal reported that Iran was hacking into our oil, gas, and power firms.) “The question is,” Rhoades says, “what would the Chinese army want? Do they want to contaminate US water plants? Are they mapping it out as a contingency for some sort of future conflict? The latter seems like it’s a potential, and that wouldn’t surprise me either.”

Since late last year, Wilhoit and Trend Micro have deployed 12 honeypots in eight countries, mimicking servers that control water pumps. (Earlier this year, a study supported by the Department of Homeland Security found that more than 7,000 industrial control systems—a broad term encompassing water, gas, and electrical systems—were connected to the internet in the United States.) The traps feature control toggles for temperature, on/off functionality, and other password-protected settings. Water systems are easy to imitate since their cybersecurity is “typically very lax,” Wilhoit explains. “Attempting to mimic a nuclear plant would be very difficult.”

Trend Micro set up the decoys to draw attention to the state of critical infrastructure cybersecurity. After the honeypots were deployed in November 2012, it took only 18 hours for the first hacker to visit. In December, using HACKSFASE—the same tool used by the Chinese army to attack US government agencies, according to the New York Times and a security company called Mandiant—a Chinese-based hacker infiltrated one of the US honeypots and tried to access multiple pages. The person also made a successful spearphishing attempt, sending a fake email to the owner’s account in order to automatically collect login information. Richard Bejtlich, chief security officer for Mandiant, says that claiming the Chinese army is attacking water plants because a hacker is using HACKSFASE is “weak attribution.” However, he wasn’t aware of other countries using the tool.

Trend Micro also saw attacks of US origin targeting honeypots in Russia and China.

Trend Micro has also traced cyberattacks in the US coming from Russia, Germany, France, the United Kingdom, and Palestine—and attacks originating in the United States that targeted honeypots in Russia and China. Ten of the cyberattacks, including the Chinese attack, were deemed “critical”—meaning that, in a real-life scenario, a hacker could have altered or turned off a city’s water supply. (None of the attacks originating from the United States fell into that category.)

Trend Micro also reported that some American water control systems could be found online using a simple Google search. The cities I contacted were cagey about whether their systems had online controls and what steps they took to defend them against hackers. But they all promised that their supplies were secure. For instance, Pamela Mooring, a spokeswoman for the DC Water and Sewer Authority, writes in an email: “DC Water staff attend briefings on cyberattacks and other threats to utilities, and the Authority has a Cyber Response Plan.”

Alan Roberson, director of federal relations at the American Water Works Association, says most American utility companies “are aware that they need to separate their control systems from the internet…but we still don’t know how many have done that, and how many vulnerabilities are left.” He adds however, that if a utility company knew it was under cyberattack, it could manually take control of the system and easily block intruders.

Last week, the Senate Committee on Commerce, Science & Transportation cleared the Cybersecurity Act of 2013 (introduced in the wake of President Obama’s corresponding executive order), which addresses vulnerabilities in American infrastructure by encouraging companies to follow set cybersecurity standards. If it passes, Roberson says, it will help safeguard water supplies by giving utility companies a way to justify the added cost of security to their boards and customers.

Wilhoit also supports the bill, although he’d like to see the federal government test the specific software and hardware that utility companies are using. “If my system is a realistic depiction of a real water pumping system,” he says, then “compromising a real water system would be very easy.”

AN IMPORTANT UPDATE

We’re falling behind our online fundraising goals and we can’t sustain coming up short on donations month after month. Perhaps you’ve heard? It is impossibly hard in the news business right now, with layoffs intensifying and fancy new startups and funding going kaput.

The crisis facing journalism and democracy isn’t going away anytime soon. And neither is Mother Jones, our readers, or our unique way of doing in-depth reporting that exists to bring about change.

Which is exactly why, despite the challenges we face, we just took a big gulp and joined forces with the Center for Investigative Reporting, a team of ace journalists who create the amazing podcast and public radio show Reveal.

If you can part with even just a few bucks, please help us pick up the pace of donations. We simply can’t afford to keep falling behind on our fundraising targets month after month.

Editor-in-Chief Clara Jeffery said it well to our team recently, and that team 100 percent includes readers like you who make it all possible: “This is a year to prove that we can pull off this merger, grow our audiences and impact, attract more funding and keep growing. More broadly, it’s a year when the very future of both journalism and democracy is on the line. We have to go for every important story, every reader/listener/viewer, and leave it all on the field. I’m very proud of all the hard work that’s gotten us to this moment, and confident that we can meet it.”

Let’s do this. If you can right now, please support Mother Jones and investigative journalism with an urgently needed donation today.

payment methods

AN IMPORTANT UPDATE

We’re falling behind our online fundraising goals and we can’t sustain coming up short on donations month after month. Perhaps you’ve heard? It is impossibly hard in the news business right now, with layoffs intensifying and fancy new startups and funding going kaput.

The crisis facing journalism and democracy isn’t going away anytime soon. And neither is Mother Jones, our readers, or our unique way of doing in-depth reporting that exists to bring about change.

Which is exactly why, despite the challenges we face, we just took a big gulp and joined forces with the Center for Investigative Reporting, a team of ace journalists who create the amazing podcast and public radio show Reveal.

If you can part with even just a few bucks, please help us pick up the pace of donations. We simply can’t afford to keep falling behind on our fundraising targets month after month.

Editor-in-Chief Clara Jeffery said it well to our team recently, and that team 100 percent includes readers like you who make it all possible: “This is a year to prove that we can pull off this merger, grow our audiences and impact, attract more funding and keep growing. More broadly, it’s a year when the very future of both journalism and democracy is on the line. We have to go for every important story, every reader/listener/viewer, and leave it all on the field. I’m very proud of all the hard work that’s gotten us to this moment, and confident that we can meet it.”

Let’s do this. If you can right now, please support Mother Jones and investigative journalism with an urgently needed donation today.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate