Bad News: Hackers Are Coming for Your Tap Water

Foreign attacks on Kyle Wilhoit’s online decoys suggest that municipal pumps are easily violated.

<a href="http://www.flickr.com/photos/42925588@N00/5502509549/in/photolist-9oeNoi-doE2CR-ijaGy-feLWW-5LvjnP-86FXAe-21CiT-6E5PZ6-25nrc-e1gpum-7JcD6K-8ZEYGF-6ygQpZ-y7WZH-3gvP9w-afaihp-aerAtv-7jufdT-mWTJt-8oWWCk-2u6twe-6e1Bmx-8hMrM-3rejye-7Xsg24-5mueWc-4eFex-4qMx-4qMw-6aQLa-8smuq4-7kCNd-5743m9-5QUGp-9F2hSC-9h25Dv-cZFpXU-dpswLz-6ThcUT-oCxid-dP4qP8-aeuuGy-dCQ4bb-66Wh4f-3ZZAAe-Q2TL-EazCN-bFCSNc-5eRWXr-96N9yk-75CnzW">Wayan Vota</a>/Flickr

Fight disinformation: Sign up for the free Mother Jones Daily newsletter and follow the news that matters.


Kyle Wilhoit, a 29-year-old Missourian working for a cybersecurity company called Trend Micro, has spent the last year building fake water plant control systems that mimic the online control systems used by real American utilities. Dubbed “honeypots,” these sorts of decoys are deployed to draw in the ill-mannered beasts of the internet—malicious hackers.

Wilhoit’s traps appear to be working. Hackers employing a software tool used by the Chinese army—as well as hackers that appear to originate from Russia, Palestine, Germany, and other countries—have been breaking into Trend Micro’s phony US water systems. In some cases, they have gone so far as to steal files so they can access the systems again. They also have gained access to imaginary pumps, which in a real scenario would allow them to modify water pressure, temperature, purification level, and even shut off the flow entirely.

“What would the Chinese army want? Do they want to contaminate US water plants?”

“Everyone has talked of [these systems] getting attacked, but I wanted true numbers to prove the attacks were occurring,” says Wilhoit, who presented the report of his company’s findings at the Black Hat conference in Las Vegas last week. “I was expecting typical drive-by automated attacks, but never dreamed of having a true targeted attack.”

Matthew Rhoades, a cybersecurity expert and director of legislative affairs for the Truman National Security Project, told Mother Jones that he’s “not totally surprised” by the report, given the past allegations of foreign entities attempting to infiltrate America’s critical infrastructure. (In May, for example, the Wall Street Journal reported that Iran was hacking into our oil, gas, and power firms.) “The question is,” Rhoades says, “what would the Chinese army want? Do they want to contaminate US water plants? Are they mapping it out as a contingency for some sort of future conflict? The latter seems like it’s a potential, and that wouldn’t surprise me either.”

Since late last year, Wilhoit and Trend Micro have deployed 12 honeypots in eight countries, mimicking servers that control water pumps. (Earlier this year, a study supported by the Department of Homeland Security found that more than 7,000 industrial control systems—a broad term encompassing water, gas, and electrical systems—were connected to the internet in the United States.) The traps feature control toggles for temperature, on/off functionality, and other password-protected settings. Water systems are easy to imitate since their cybersecurity is “typically very lax,” Wilhoit explains. “Attempting to mimic a nuclear plant would be very difficult.”

Trend Micro set up the decoys to draw attention to the state of critical infrastructure cybersecurity. After the honeypots were deployed in November 2012, it took only 18 hours for the first hacker to visit. In December, using HACKSFASE—the same tool used by the Chinese army to attack US government agencies, according to the New York Times and a security company called Mandiant—a Chinese-based hacker infiltrated one of the US honeypots and tried to access multiple pages. The person also made a successful spearphishing attempt, sending a fake email to the owner’s account in order to automatically collect login information. Richard Bejtlich, chief security officer for Mandiant, says that claiming the Chinese army is attacking water plants because a hacker is using HACKSFASE is “weak attribution.” However, he wasn’t aware of other countries using the tool.

Trend Micro also saw attacks of US origin targeting honeypots in Russia and China.

Trend Micro has also traced cyberattacks in the US coming from Russia, Germany, France, the United Kingdom, and Palestine—and attacks originating in the United States that targeted honeypots in Russia and China. Ten of the cyberattacks, including the Chinese attack, were deemed “critical”—meaning that, in a real-life scenario, a hacker could have altered or turned off a city’s water supply. (None of the attacks originating from the United States fell into that category.)

Trend Micro also reported that some American water control systems could be found online using a simple Google search. The cities I contacted were cagey about whether their systems had online controls and what steps they took to defend them against hackers. But they all promised that their supplies were secure. For instance, Pamela Mooring, a spokeswoman for the DC Water and Sewer Authority, writes in an email: “DC Water staff attend briefings on cyberattacks and other threats to utilities, and the Authority has a Cyber Response Plan.”

Alan Roberson, director of federal relations at the American Water Works Association, says most American utility companies “are aware that they need to separate their control systems from the internet…but we still don’t know how many have done that, and how many vulnerabilities are left.” He adds however, that if a utility company knew it was under cyberattack, it could manually take control of the system and easily block intruders.

Last week, the Senate Committee on Commerce, Science & Transportation cleared the Cybersecurity Act of 2013 (introduced in the wake of President Obama’s corresponding executive order), which addresses vulnerabilities in American infrastructure by encouraging companies to follow set cybersecurity standards. If it passes, Roberson says, it will help safeguard water supplies by giving utility companies a way to justify the added cost of security to their boards and customers.

Wilhoit also supports the bill, although he’d like to see the federal government test the specific software and hardware that utility companies are using. “If my system is a realistic depiction of a real water pumping system,” he says, then “compromising a real water system would be very easy.”

WE'LL BE BLUNT

It is astonishingly hard keeping a newsroom afloat these days, and we need to raise $253,000 in online donations quickly, by October 7.

The short of it: Last year, we had to cut $1 million from our budget so we could have any chance of breaking even by the time our fiscal year ended in June. And despite a huge rally from so many of you leading up to the deadline, we still came up a bit short on the whole. We can’t let that happen again. We have no wiggle room to begin with, and now we have a hole to dig out of.

Readers also told us to just give it to you straight when we need to ask for your support, and seeing how matter-of-factly explaining our inner workings, our challenges and finances, can bring more of you in has been a real silver lining. So our online membership lead, Brian, lays it all out for you in his personal, insider account (that literally puts his skin in the game!) of how urgent things are right now.

The upshot: Being able to rally $253,000 in donations over these next few weeks is vitally important simply because it is the number that keeps us right on track, helping make sure we don't end up with a bigger gap than can be filled again, helping us avoid any significant (and knowable) cash-flow crunches for now. We used to be more nonchalant about coming up short this time of year, thinking we can make it by the time June rolls around. Not anymore.

Because the in-depth journalism on underreported beats and unique perspectives on the daily news you turn to Mother Jones for is only possible because readers fund us. Corporations and powerful people with deep pockets will never sustain the type of journalism we exist to do. The only investors who won’t let independent, investigative journalism down are the people who actually care about its future—you.

And we need readers to show up for us big time—again.

Getting just 10 percent of the people who care enough about our work to be reading this blurb to part with a few bucks would be utterly transformative for us, and that's very much what we need to keep charging hard in this financially uncertain, high-stakes year.

If you can right now, please support the journalism you get from Mother Jones with a donation at whatever amount works for you. And please do it now, before you move on to whatever you're about to do next and think maybe you'll get to it later, because every gift matters and we really need to see a strong response if we're going to raise the $253,000 we need in less than three weeks.

payment methods

WE'LL BE BLUNT

It is astonishingly hard keeping a newsroom afloat these days, and we need to raise $253,000 in online donations quickly, by October 7.

The short of it: Last year, we had to cut $1 million from our budget so we could have any chance of breaking even by the time our fiscal year ended in June. And despite a huge rally from so many of you leading up to the deadline, we still came up a bit short on the whole. We can’t let that happen again. We have no wiggle room to begin with, and now we have a hole to dig out of.

Readers also told us to just give it to you straight when we need to ask for your support, and seeing how matter-of-factly explaining our inner workings, our challenges and finances, can bring more of you in has been a real silver lining. So our online membership lead, Brian, lays it all out for you in his personal, insider account (that literally puts his skin in the game!) of how urgent things are right now.

The upshot: Being able to rally $253,000 in donations over these next few weeks is vitally important simply because it is the number that keeps us right on track, helping make sure we don't end up with a bigger gap than can be filled again, helping us avoid any significant (and knowable) cash-flow crunches for now. We used to be more nonchalant about coming up short this time of year, thinking we can make it by the time June rolls around. Not anymore.

Because the in-depth journalism on underreported beats and unique perspectives on the daily news you turn to Mother Jones for is only possible because readers fund us. Corporations and powerful people with deep pockets will never sustain the type of journalism we exist to do. The only investors who won’t let independent, investigative journalism down are the people who actually care about its future—you.

And we need readers to show up for us big time—again.

Getting just 10 percent of the people who care enough about our work to be reading this blurb to part with a few bucks would be utterly transformative for us, and that's very much what we need to keep charging hard in this financially uncertain, high-stakes year.

If you can right now, please support the journalism you get from Mother Jones with a donation at whatever amount works for you. And please do it now, before you move on to whatever you're about to do next and think maybe you'll get to it later, because every gift matters and we really need to see a strong response if we're going to raise the $253,000 we need in less than three weeks.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate