India has 18% of the world’s population, but only 4% of its water resources, making it among the most water-stressed in the world. However, more than 40% of the water produced in many cities is wasted before reaching the final consumer due to leaks or thefts. Thus, reducing water losses, and maintaining water quality and adequate supply are not just important for the efficiency and financial sustainability of water utilities across Indian cities but also for sustainability.
To better manage the existing water distribution network and infrastructure, and streamline the management process, urban local bodies (ULBs) are incorporating technologies such as supervisory control and data acquisition (SCADA) systems into their day-to-day operations. ULBs across the country are introducing online portals for civic services and deploying advanced treatment technologies for water monitoring and maintenance.
SCADA systems have already been adopted in cities across the country. While automation has resulted in minimized water losses, ensured better quality of water, and reduced costs as well in running the plants, cyber threats are a looming danger that needs to be effectively mitigated in earnest by the authorities.
Cyber attackers can shut down the treatment process, potentially resulting in unsafe water being distributed to the public. The threat is real. In addition, attackers could also gain access to sensitive information such as login credentials and chemical formulas. It has become crucial that water treatment plants take proactive measures to protect their systems and networks from cyber attacks and have an incident response plan in place to quickly respond to any attack that may occur.
Although most cyber attacks go unreported, it is known that the number of cyber attacks on critical infrastructure, including water treatment plants, has been increasing in recent years. In the case of a cyber attack on a water treatment plant, the consequences can be severe and far-reaching. Some possible consequences include:
- Disruption of operations: A cyber attack can disrupt the normal operation of a water treatment plant, potentially leading to unsafe water being distributed to the public.
- Safety risks: A cyber attack can cause safety risks to workers and the public, such as by releasing harmful chemicals or altering the treatment process.
- Financial losses: A cyber attack can result in financial losses for the water treatment plant, such as lost productivity, damage to equipment, and the cost of restoring normal operations.
- Environmental damage: A cyber attack can lead to environmental damage, such as by releasing untreated wastewater into rivers or streams.
- Loss of sensitive information: A cyber attack can result in the loss of sensitive information, such as login credentials and chemical formulas, which can be used for further attacks or to cause reputational damage.
- Public health risk: A cyber attack can lead to a public health risk if the water treatment plant is unable to provide safe drinking water.
- Reputation damage: A cyber attack can cause reputational damage to the water treatment plant, potentially leading to a loss of trust and confidence from customers and the public.
Cyber Security for Water Treatment Plants
The International Association of Water Security Professionals (IAWSP) has reported that in recent years water utilities have been affected by ransomware, phishing, and other types of cyber attacks. SCADA (Supervisory Control and Data Acquisition) networks are used to control and monitor industrial processes, including those in water treatment plants. These networks are vulnerable to a variety of cyber attacks, some of the common types include:
- Remote code execution: This type of attack allows an attacker to execute arbitrary code on a system, potentially allowing them to take control of the system or disrupt its operation.
- Denial of service (DoS): This type of attack is designed to flood a network or system with traffic, rendering it unavailable to legitimate users.
- Man-in-the-middle (MitM) attacks: This type of attack involves intercepting and potentially modifying communications between devices on a network.
- Phishing: This type of attack uses social engineering to trick users into providing sensitive information or clicking on a malicious link.
- Ransomware: This type of attack encrypts a system’s files, making them inaccessible until a ransom is paid.
- Advanced persistent threat (APT) attacks: These types of attacks are sophisticated and targeted, often involving multiple stages and techniques to gain access to a network and maintain a foothold over some time.
- Malware: This type of attack involves using malicious software to gain access to a system or network, steal information, or disrupt operations.
Water treatment plants should take few basic cyber security measures to protect their systems and networks from cyber-attacks. Some of these measures include:
- Implementing network segmentation: This involves dividing the network into smaller segments, making it more difficult for attackers to move laterally and gain access to sensitive systems.
- Using strong authentication: This involves using multi-factor authentication (MFA) or other forms of strong authentication to prevent unauthorized access to systems and networks.
- Keeping software and systems updated: This includes ensuring that all software and systems are up to date with the latest security patches and updates. Patch management solutions need to be deployed as one unpatched device may prove to be the weakest link and lead to breach of the whole network.
- Conducting regular security assessments and penetration testing: This involves regularly testing the security of systems and networks to identify vulnerabilities and weaknesses that need to be addressed.
- Developing incident response plans: This involves having a plan in place to respond to a cyber attack, including identifying key personnel, procedures, and communication protocols.
- Implementing a monitoring system: This involves using tools like Network Management System (NMS) and SIEM (Security Information and Event Management) to monitor networks and systems for unusual activity and suspicious events.
- Regular Employee awareness training and having a disaster recovery plan are also critical.
On approaching the industry leaders from the field of cyber security and consultants who design water treatment plants, we gained further insights. Alok Tripathi, SCADA Engineer who works for a firm who are involved in consulting government departments in India for water treatment modernization project said “SCADA OEMs are regularly reporting vulnerabilities.
For example, in 2019, the US Cyber security and Infrastructure Security Agency (CISA) reported a vulnerability in Siemens SIMATIC WinCC and PCS 7 that could allow an attacker to execute arbitrary code and take control of the system. In 2020, a security researcher from the company CyberX, reported a vulnerability in Schneider Electric’s Triconex Safety Instrumented System (SIS) that could allow an attacker to cause a denial of service (DoS) attack on the system.
Authorities are now checking whether the projects are considering cyber security from the design stage and whether the solutions comply with global and international guidelines. “
Sourish Dey, Director at Trisim Global Solutions, a cyber security solutions company shared “there is growing concern about cyber security in water treatment plants with the knowledge of attacks on critical infrastructure in India and globally. Most leading OEMs of SCADA platforms like Honeywell, ABB, Rockwell, Schnedier, and Siemens are reporting vulnerabilities.”
Shaunak Modi, Director at Trixter, a Made-in-India SIEM platform with multiple installations in smart city projects in India, opined “It’s important to note that the security of ICS systems is dependent on the security measures implemented by the end-users and not to be left to the OEMs of ICS systems. It’s important for end-users to implement robust security measures, such as network segmentation and OT security, and to stay up to date with the latest cyber security best practices and regulations.”
Sourish suggested that his company is working with cyber security companies like Trend Micro which are meant and customized for OT Security. “Not all solutions that work effectively in IT environment are suitable for security OT or SCADA networks. Companies like Trend Micro have specialized solutions that are designed to protect water treatment plants and other industrial control systems from cyber threats. They provide real-time threat detection, automated incident response, and security analytics that work effectively in OT environment.”