Cyberattack increases pressure on European water suppliers during drought

A cyberattack on a UK company that provides drinking water to 1.6 million customers has raised security concerns about the vulnerability of these utilities across drought-stricken Europe.

South Staffordshire PLC said last week that its IT systems had been hit by a cyberattack, but it did not affect the company’s ability to provide clean drinking water to customers.

A ransomware group known as Cl0p took responsibility for the attack and posted some data online that it said it stole from the company. The company did not respond to requests for comment.

A map released this week by the EU’s Copernicus Emergency Management Service shows drought conditions.


Photo:

Associated Press

Hacking a water operator during a drought could be catastrophic because these companies usually have no competitors to rely on to deliver water to customers, said Johan Claessens, head of security at Water-link, a public utility that provides drinking water in Flanders, the Netherlands. Belgian-speaking region.

“We don’t have the luxury of having suboptimal production for an extended period of time,” he said. “We really need every drop of water.”

Ransomware groups frequently seek to exploit crisis situations to pressure victimized companies into paying fees to recover their data or prevent sensitive information from being published online, said Juan Caubet, director of the computer security unit and OT of Eurecat, Technological Center of Catalonia, a research organization in Barcelona focused on industrial technologies.

Attacking water companies during a severe drought is a similar tactic to deploying ransomware against hospitals during the Covid-19 pandemic, he said.

Water supply facilities and other critical infrastructure systems often use OT, or operational technology, that is a decade or more old and can be difficult to secure, he said.

Hackers can gain access to corporate computer networks, for example by tricking employees into clicking on malicious links that download malware. Safeguards such as segmenting certain parts of the network to prevent an intruder from moving from IT infrastructure to sensitive industrial equipment are key to avoiding damage to critical services, experts said.

A water treatment plant in Oldsmar, Florida was hacked last year.


Photo:

Chris Urso/Zuma Press

Last year, a hacker broke into the network of a water treatment plant in Oldsmar, Florida, and changed a setting to increase the amount of lye in the water to a dangerous level. A plant operator noticed the activity and reversed it.

Awareness of the potentially dangerous effects of a cyberattack on water supply systems has increased in recent years. Security experts at Oslo’s public water agency began tightening security restrictions a decade ago for operational equipment controlling its water supply and pipelines from computer systems like desktop computers, said Harald Rishovd, who oversees cybersecurity for the city agency. “There was no kind of protection between the different systems. You could do a lot of damage if you had access to computer systems,” he said.

In addition to the challenges of securing industrial equipment, water operators in Europe and the United States are often small businesses or public services with small budgets.

“Frequently, the person managing cybersecurity is the same person who operates the system and cuts the grass, so coming up with complex technical solutions is going to be a challenge,” said Lee Forsgren, former Deputy Assistant Administrator for States Water. -United. Environmental Protection Agency. He is now a senior attorney at HBW Resources, a lobbying firm.

The Biden administration ordered the EPA to create new cybersecurity rules for the water sector by this month, and imposed similar requirements on other critical infrastructure regulators. Cybersecurity and water industry experts have called for an increase in the cybersecurity budget for the EPA to hire experts, expand training, and fund utilities.

European drinking water providers are required to implement basic cybersecurity measures, such as ensuring they can continue to operate in an emergency, and they must report cyberattacks to national regulators.

Europe’s smaller water operators have few employees and often no cybersecurity experts on staff, said Evangelos Ouzounis, head of policy development and implementation at Enisa, the European cybersecurity agency. If a water operator needs to apply a safety update to old industrial equipment, the company often has to send someone to work on the machine in the field, he said.

The European agency communicates and organizes meetings on safety topics and regulations with utilities in various critical sectors, but it is difficult to ensure that water suppliers follow other industries, said Mr. Ouzounis “We deal with thousands of small businesses in this area. . This makes progress very difficult.

More from WSJ Pro Cybersecurity

Write to Catherine Stupp at [email protected]

Copyright ©2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8

About Edward Fries

Check Also

Business People: Hiring and Rewards in the Fort Wayne Area | Company

Cason Amornarthakij joined Do it Best as a Category Management Planner; David Badinasenior system administrator; …