The Decibel - Why hackers are targeting water treatment plants
Episode Date: November 26, 2024In recent years, cyber attacks have become increasingly frequent and wide-reaching. In 2023, the Toronto Public Library, Canada’s largest-circulation library system, was the subject of a ransomware ...attack. Its systems were down for months, and the library was taken back to a pre-internet age. Now, hackers are turning to water treatment plants – and it’s not money they’re after.Patrick White is the Globe’s water reporter. He’s on the show to talk about how these attacks have been unfolding, why they look different from other kinds of infrastructure hacks, and how governments are preparing for this new threat.Questions? Comments? Ideas? E-mail us at thedecibel@globeandmail.com
Transcript
Discussion (0)
Cyber attacks on infrastructure like libraries and hospital systems have become more frequent over the last few years.
But recently, hackers have started targeting water systems.
And instead of asking for ransoms, many of these attacks have been politically motivated.
The Globe's Patrick White is taking on a new beat as water reporter.
Today, he's on the show to explain how hackers are targeting water,
what towns are doing to protect themselves,
and why the stakes are so high when it comes to hacked water systems.
I'm Naina Karam in Wilms, and this is The Decibel from The Globe and Mail.
Patrick, great to see you. Thanks for being here.
Yeah, thanks very much for having me.
You recently learned about a water system in Durham region, which is a municipality near
Toronto, and their water system had been compromised. What happened there, Patrick?
We still don't know a lot about what exactly happened there.
The only thing we really know is there was a digital security breach.
It was what they are calling a limited breach.
It was contained very quickly.
And they have said there's no risk to public health, safety or the environment.
The reason why this matters is Duffin Creek.
That's the wastewater treatment plant in Durham, is one
of the biggest wastewater facilities in the country. It serves about 1.2 million people
and takes up this gigantic piece of real estate, the size of about 400 football fields on the
shore of Lake Ontario. So if something goes wrong with that much wastewater on the shores of Lake
Ontario, there's going to be some kind of environmental catastrophe associated with that much wastewater on the shores of Lake Ontario, there's going to be some kind of
environmental catastrophe associated with that. And what was the city's response to all of this?
The city issued a one paragraph statement. I do applaud them for issuing anything at all
in Canada. The law says you do not have to go public when something like this happens. So this
is actually the first time I've ever seen something like this in Canada. But it was a very brief and very cryptic statement
that mentioned that there had been a security breach at Duffin and that there was no further
risk to safety or health. But I, that same week had just started as the globe's new water reporter, new position I'm
really excited about. And so I came across this in my searches and I just found it kind of so
puzzling that I had to email them and ask them precisely what it was that they were talking
about. And they didn't give me a lot more information. But in the process of
asking about it and looking into digital systems in wastewater infrastructure, something I never
thought I would be Googling, I found that there's been a lot of cyber attacks on these kinds of
facilities. So when you say that the system had been compromised there, it has essentially been
hacked then is what you're saying. Yeah, well, that's what I was trying to confirm with them. I think their original
language was there was a security breach that had compromised the digital systems. And so I just
wanted to get some plain language out of them. So I asked them, can I call this a cybersecurity
breach? Because I think that gets into language that most of us are more familiar with. And they
said, yes, it was a cybersecurity breach. And it sounds like it's similar to the ones that we've
actually been seeing in the US quite a bit, but we have never really seen in Canada before.
So let's talk about what exactly, I guess, hackers are targeting here. Patrick,
what is vulnerable about these water systems? Yeah, I wondered the same thing too, because this gets into my youth. But when I
was growing up, my grandfather and my dad actually ran the local waterworks in our town. This is what
got me into the water job, I'm sure. We'd have to go up to the waterworks depot, which we call the intake, where the water from the
reservoir filtered into an intake pipe and was filtered out to the community. And if there were
leaves in the filter, we'd have to go out there and manually rake out the leaves to make sure
that that didn't end up in people's water. And if the different levels needed adjusting, that was often done by hand.
And if a dam need to be lowered or raised, that was often done with a hand crank.
So it was a very, very analog job.
But these days, those jobs are entirely digital.
It doesn't matter if it's here in Toronto or if it's a, as I learned, water treatment plants can also just run tiny little trailer parks.
They're all digital now and they can all be operated remotely.
So they've really joined our toasters and our cars can access all of the water infrastructure really all over the world from the comfort of their own homes in many ways.
And those digital portals that have been created for the proper people to adjust levels or do whatever they need to do in this water infrastructure also creates vulnerabilities. So hostile actors can also
try and get into those digital portals by trying to guess passwords or other means of getting in.
So that sounds like very similar, I guess, in a way to what we hear about just with regular hacks,
getting a password or getting access to someone's computer and then
getting access to broader systems. Is that kind of how this works then?
Yeah, it is.
I mean, it used to be the systems that run water infrastructure tend to come under this.
This is a whole other thing I learned during the story of this umbrella called operational
technology or OT.
And that's separate from what I'm most familiar with.
And most of us are familiar with called IT or information technology, or OT, and that's separate from what I'm most familiar with, and most of us are familiar with, called IT or information technology. With companies and governments, IT is usually the front-end stuff. That's your computers, that's your cell phones, that's anything that is meant to send and store information through the internet. OT is the very specific software and hardware that runs, say, the printing
presses at the Globe and Mail or the assembly line at an auto plant or the water treatment plant that
handles all the water for the city of Toronto. That would be run by OT. And it used to be they
were very separate OT and IT. And now through this internet of things,
there's had to be a little bit of hybridization
between the IT and OT systems.
And that's where hackers have seen a vulnerability.
Okay, so like to go back to like when your family
had to do this, like physically,
like go down and rake the leaves out,
like all that stuff, I guess,
is kind of automated in a way now. You
kind of push a button and this happens on its own and that's where the vulnerability is?
I mean, you probably don't even have to push a button in most cases. Usually it's a computer
that's just deciding. I was just recently at the Ripley's Aquarium and they actually have an area
where you can see the OT systems that measure the salinity of all the tanks and determine the salinity of all the
tanks. And you can see the computer adjusting the different chemical levels, especially the
salinity of all the tanks right there in real time. And for anybody but a water reporter,
that's deadly boring. But I was working on the story at the time. I'm like,
so that's what OT and the related systems called SCADA
look like. That's really interesting. And that's a really important thing too. So like in this
example, the salinity of these tanks, like those animals require that to be the right balance in
order to stay alive, right? And I guess we can translate that to similar things for our own
water systems. There's very precise things that are happening to make sure we get clean water
out of the taps. And this is maybe what's being targeted then.
Yeah.
Things like fluoride that we've heard a lot about recently in our drinking water.
Things like chlorine.
Those are added to our drinking water to help keep us safe.
Now, if you take those out, the water becomes somewhat unsafe.
If you load up the water with all of those chemicals, then it becomes very unsafe.
Where else have these water hacks been happening so far?
Well, I didn't realize this, but in the last two years,
they've been happening really with great regularity in the U.S.
Just in the last two years, there have been over 10
that I was able to count attacks on various water providers.
No wastewater plants that I could find.
That's a bit of a new curveball here in Canada,
but it was mostly water infrastructure in various parts of the states.
There's also been some attacks in Europe and Israel that we've seen,
but the attacks in the states seem to be getting the most attention of lawmakers.
There were a couple of attacks in the early part of this year that prompted the White House to issue a letter to all the state governors saying that there's a new cyber attack threat that they needed to be aware of, and they needed to kind of batten down the hatches, the cyber hatches at all of their water infrastructure immediately to prevent some
kind of incursion from one of these foreign actors. Wow. So what have we seen happen in
the state so far? Where have these attacks been and what's happened? Well, last year,
there was an Iran back attack in a place called Al-Aquippa, Pennsylvania.
It's a place that has about 22,000 people in the western part of the state.
And that attack specifically went after a piece of technology that regulates the water pressure.
And that piece of technology is made in Israel. And it is believed that this Arambeck attack was politically motivated as a
kind of proxy attack on Israel in a way. This group had also attacked similar technology in
Europe and Israel, the same piece of technology. That seemed to be the one that really prompted
the White House and the EPA in the States to issue this letter to all the states.
Yeah. So when you say this was a politically motivated attack, I mean, can we just kind of
expand on that? Like that sounds like a different kind of threat level than maybe just someone
looking for some ransom money. It is. I mean, we've all heard about these cybersecurity attacks
in the news and probably in our personal lives, too. I mean, there was the Indigo attack that really shut down the online version of that store
for quite some time.
One that affected many of us living in Toronto
was the Toronto Public Library cyber attack
that shut down the library for a matter of months.
Those were kind of classic ransomware attacks
where an attacker exploits one of these vulnerabilities,
often in the IT systems,
is able to take control of your entire network
and then demand a ransom to assign it back to you
to get that network operating again.
So companies, governments are faced with an option,
either keep everything offline
and try to rebuild their systems,
which I believe the Toronto Public Library did,
or pay the ransom.
It's so rampant at running through some of the data and doing the story. It seems like if you
run a company in North America these days, you're going to be dealing with one of these
attacks in the next two years. It's just inevitable. They're so rampant. So these politically motivated attacks are quite
a bit different. There's generally no requests for funds. There's no requests for money. They're
generally going after critical infrastructure. It's going to be affecting a large amount of people. And there is a hard to
define group behind them that are definitely either state aligned or even in some cases,
state sponsored. In January of this year in a town called Muleshoe, Texas, a person was just
walking by a park and looked up to the local water tower and saw water spilling down the
sides of the water tower. The water authorities were able to figure out what had happened. And
again, just like in Durham, they were able to prevent anything bad from happening to people
or the environment. But further investigation found that a hack had caused this. And sure enough,
a group called the Cyber Army of Russia Reborn later posted a video on Telegram, a messaging
platform, showing exactly how the water system had been hacked. And I believe they actually
showed pictures, kind of screenshots of the OT system in that town, showing what they had done to make this happen.
And then they also threatened further incursions.
So if you're a national security advisor in the United States and you see something like that posted on Telegram, you're going to take that very seriously.
And they really have in the U.S.
We'll be back in a moment.
So it sounds like with a typical kind of cyber attack that we have generally been thinking of,
you know, ransom is kind of the goal that someone is looking for money. But with these kind of
attacks, Patrick, it does sound like the political motivation is really the factor here. And so there's a very
different intent behind it. Yeah. And it's not always clear what the intent is. In some cases,
it seems to be kind of a proxy battle in larger wars, certainly with Russia and the war in Ukraine
that can be seen as somewhat of a strike against
a country that's supplying Ukraine with arms, certainly with the Iran attack on an Israel
produced piece of technology. In other cases, it's kind of unknown what's going on. And
there is some speculation, and there has been in the media in the States, that hackers affiliated with China have been probing critical infrastructure in the U.S.
Just to see how vulnerable different pieces of critical infrastructure are.
So should it come to pass that there are hostilities between those two countries, they can at that point exploit those vulnerabilities.
Yeah. I mean, honestly, what better way to cause chaos in a society than target
critical infrastructure like clean water, right?
You could write a pretty horrific movie about things you could do to the water system and
what kind of downstream impacts that would have for everybody involved.
Yeah. Yeah. So Patrick, these attacks on our water system sound like they could really do a lot of damage.
I guess I wonder, the two places that you mentioned in Pennsylvania and Texas, these
seem like really kind of small municipalities, right?
Why are they, I guess, particularly vulnerable maybe to this kind of international infrastructure
attack?
Yeah, I wondered about that and asked a couple of cybersecurity
experts and water engineers, and I wanted to know why these attacks seem to be happening in places
I'd never heard of before, quite honestly, aside from Durham, which is right next door to Toronto.
And their answer was just that smaller and mid-sized municipalities are always quite
cash-strapped, and particularly right now.
And they simply don't have the kinds of budgets that major municipalities do for cybersecurity.
They barely have a budget for an IT department, never mind an OT department that would look after
cybersecurity for OT systems. So that just creates a little more vulnerability in these places. I think in the
case of the Al Equippa attack, it was determined that the technicians there had not changed the
default password from 1111. Oh, wow. I mean, so is this something that could, I guess, maybe be
solved by taking away that vulnerability? Like if we go back to being manual in this way or just making things accessible in one location instead of having this remote access, would that kind of, I don't know, eliminate part of this threat? for cybersecurity, that's his official title. I think a lot of people just call him the cyber securities are,
told me is that that is one of the pieces of advice
they're trying to issue as much as possible
as separating OT and IT components.
He mentioned that they found an example of a,
he didn't say it was a water provider,
but a provider of something.
He was very cagey about what kind of company or government it was
that was actually publishing a live stream of its OT systems online
that you could access through the internet.
And they immediately got in touch with this company
and told them to take it down immediately
because this is something that hackers would just love to see.
This is a beautiful vulnerability that they could access through Google Chrome.
So how prepared is Canada to deal with these kind of attacks?
Not very.
Most of the people I talked to said Canada is far behind the States,
but they said that's kind of to be expected,
because Canada is just not under the relentless volume of attacks that the U.S. is.
The U.S. is really, it seems like every month that something is coming up that is targeting a piece
of water infrastructure right now. So I think Canada seems to be taking a bit of a wait and
see approach. They're looking at what the U.S. is doing and copying a lot of the initiatives that
are successful in the States.
And actually, most of the experts here seem to think that that is not a terrible approach, considering that the U.S. is generally at the leading edge of these things and usually takes head of, the Canadian Center for Cybersecurity,
has issued kind of a toolkit for critical infrastructure providers and water providers to follow is that they've actually provided funding for smaller
municipalities to actually create cybersecurity systems within water infrastructure. So when we
talked about the real fiscal challenge that takes place in a lot of these smaller municipalities
when it comes to cybersecurity, the White House is now helping them overcome that.
That may take place here too, if we are really following suit with
all the policies there. Can we just take a moment to highlight how important our water systems are?
Like, what effect could a hack really have on a municipality? Like, what happens when
these systems are compromised? Look no farther than Calgary this summer, which was without one of its largest water
mains for a matter of weeks.
And it was not just an inconvenience, but people had to just move out of certain parts
of the city, not permanently, but temporarily move away because it was just too challenging
to live there.
You cannot run a shower or a bathtub off of bottled water. It's difficult to get enough bottled water
to cook with all the time. So basic hygiene, cooking and eating, the very elements of survival
become very challenging when our water system is compromised. And I think it's something we
really take for granted because it's kind of this hidden line item on our tax bill that we really don't pay attention to.
And we really don't consider ourselves paying for it in any considerable way.
But it kind of underpins how we survive in the cities and towns all across North America these days.
It is the underpinning of civilization, really, in most parts of the
globe. And when it goes down, bad things happen. Yeah, of course, there's, I mean, we know there's
lots of indigenous communities in Canada that don't have running clean water. But for a lot
of the country, right, this is something we expect. We turn on the tap and clean water comes out. We
don't, you know, even imagine the fact that it could be contaminated or that it doesn't happen.
And so not having that there could be a really serious situation.
Oh, absolutely. Absolutely. And when clean water is not coming out of the tap, when no water
is coming out of the tap, it becomes very challenging, very difficult to live.
So Patrick, is there a sense that this problem could get worse in the coming
years? Like this is something that we need to really start paying attention to? Absolutely.
That's everybody I talked to said that this is something that every level of government needs
to be paying attention to right now. Sammy Corey, the federal government's cyber securities are that
I mentioned earlier, said that companies and municipalities really need to wake up to this challenge because
not all of them have. There are several industry associations like the Canadian Wastewater
Association that do have subcommittees that are looking into this. And they also have a toolkit
that they encourage all of their members to, say, change their default passwords.
But more needs to be done.
And one of the things, if they have the budget, one of the easiest things to do is just to hire one of the many private cybersecurity firms that has popped up in the last 10 years.
They're just responding to the genuine need that is out there for this kind of thing.
Patrick, thank you so much for taking the time to be here today.
Thanks so much for having me.
That's it for today.
I'm Mainika Raman-Wellms.
Our producers are Madeline White,
Michal Stein, and Allie Graham.
David Crosby edits the show.
Adrian Chung is our senior producer, and Matt Frainer is our managing editor.
Thanks so much for listening
and I'll talk to you tomorrow.