7/27/2019 Hackers Are Coming for Your Tap Water

1/3

Bad News:Hackers AreComing for YourTap Water

Foreign attacks on Kyle Wilhoit's online decoys suggest that municipalpumps are easily violated.

Kyle Wilhoit, a 29-year-old Missourian working for a cybersecurity company called Trend

Micro, has spent the last year building fake water plant control systems that mimic the

online control systems used by real American utilities. Dubbed "honeypots," these sorts of

decoys are deployed to draw in the ill-mannered beasts of the internetmalicious hackers.Wilhoit's traps appear to be working. Hackers employing a software tool used by the

Chinese armyas well as hackers that appear to originate from Russia, Palestine, Germany,

and other countrieshave been breaking into Trend Micro's phony US water systems. In

some cases, they have gone so far as to steal files so they can access the systems again.

They also have gained access to imaginary pumps, which in a real scenario would allow

them to modify water pressure, temperature, purification level, and even shut off the flow

entirely.

"What would the Chinese army want? Do they want to

contaminate US water plants?""Everyone has talked of [these systems] getting attacked, but I wanted true numbers to

prove the attacks were occurring," says Wilhoit, who presented the report of his company's

http://www.trendmicro.com/us/index.htmlhttp://www.trendmicro.com/us/index.htmlhttps://media.blackhat.com/eu-13/briefings/Wilhoit/bh-eu-13-whose-really-attacking-wilhoit-wp.pdfhttps://media.blackhat.com/eu-13/briefings/Wilhoit/bh-eu-13-whose-really-attacking-wilhoit-wp.pdfhttp://www.trendmicro.com/us/index.htmlhttp://www.trendmicro.com/us/index.html

7/27/2019 Hackers Are Coming for Your Tap Water

2/3

findings at the Black Hat conference in Las Vegas last week. "I was expecting typical drive-

by automated attacks, but never dreamed of having a true targeted attack."Matthew Rhoades, a cybersecurity expert and director of legislative affairs for the Truman

National Security Project, told Mother Jones that he's "not totally surprised" by the report,

given the past allegations of foreign entities attempting to infiltrate America's critical

infrastructure. (In May, for example, theWall Street Journalreported that Iran was hacking

into our oil, gas, and power firms.) "The question is," Rhoades says, "what would the

Chinese army want? Do they want to contaminate US water plants? Are they mapping it out

as a contingency for some sort of future conflict? The latter seems like it's a potential, and

that wouldn't surprise me either."Since late last year, Wilhoit and Trend Micro have deployed 12 honeypots in eight countries,

mimicking servers that control water pumps. (Earlier this year, a study supported by the

Department of Homeland Security found that more than 7,000 industrial control systemsa

broad term encompassing water, gas, and electrical systemswere connected to the

internet in the United States.) The traps feature control toggles for temperature, on/off

functionality, and other password-protected settings. Water systems are easy to imitate

since their cybersecurity is "typically very lax," Wilhoit explains. "Attempting to mimic a

nuclear plant would be very difficult."Trend Micro set up the decoys to draw attention to the state of critical infrastructure

cybersecurity. After the honeypots were deployed in November 2012, it took only 18 hours

for the first hacker to visit. In December, using HACKSFASEthe same tool used by the

Chinese army to attack US government agencies, according to theNew York Timesand a

security company called Mandianta Chinese-based hacker infiltrated one of the US

honeypots and tried to access multiple pages. The person also made a successful spear

phishing attempt, sending a fake email to the owner's account in order to automatically

collect login information. Richard Bejtlich, chief security officer for Mandiant, says that

claiming the Chinese army is attacking water plants because a hacker is using HACKSFASE

is "weak attribution." However, he wasn't aware of other countries using the tool.

Trend Micro also saw attacks of US origin targeting

honeypots in Russia and China.

https://media.blackhat.com/eu-13/briefings/Wilhoit/bh-eu-13-whose-really-attacking-wilhoit-wp.pdfhttp://www.blackhat.com/http://online.wsj.com/article/SB10001424127887323336104578501601108021968.htmlhttp://online.wsj.com/article/SB10001424127887323336104578501601108021968.htmlhttp://online.wsj.com/article/SB10001424127887323336104578501601108021968.htmlhttp://www.informationweek.com/government/security/thousands-of-industrial-control-systems/240146091http://www.scribd.com/doc/126177477/Mandiant-APT1-Reporthttp://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?pagewanted=allhttp://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?pagewanted=allhttp://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?pagewanted=allhttp://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?pagewanted=allhttp://www.scribd.com/doc/126177477/Mandiant-APT1-Reporthttp://www.informationweek.com/government/security/thousands-of-industrial-control-systems/240146091http://online.wsj.com/article/SB10001424127887323336104578501601108021968.htmlhttp://www.blackhat.com/https://media.blackhat.com/eu-13/briefings/Wilhoit/bh-eu-13-whose-really-attacking-wilhoit-wp.pdf

7/27/2019 Hackers Are Coming for Your Tap Water

3/3

Trend Micro has also traced cyberattacks in the US coming from Russia, Germany, France,

the United Kingdom, and Palestineand attacks originating in the United States that

targeted honeypots in Russia and China. Ten of the cyberattacks, including the Chinese

attack, were deemed "critical"meaning that, in a real-life scenario, a hacker could have

altered or turned off a city's water supply. (None of the attacks originating from the United

States fell into that category.)

Trend Micro also reported that some American water control systems could be found online

using a simple Google search. The cities I contacted were cagey about whether their

systems had online controls and what steps they took to defend them against hackers. But

they all promised that their supplies were secure. For instance, Pamela Mooring, a

spokeswoman for the DC Water and Sewer Authority, writes in an email: "DC Water staff

attend briefings on cyber attacks and other threats to utilities, and the Authority has a

Cyber Response Plan."Alan Roberson, director of federal relations at the American Water Works Association, says

most American utility companies "are aware that they need to separate their control

systems from the internetbut we still don't know how many have done that, and how

many vulnerabilities are left." He adds however, that if a utility company knew it was under

cyberattack, it could manually take control of the system and easily block intruders.Last week, the Senate Committee on Commerce, Science & Transportation cleared

theCybersecurity Act of 2013 (introduced in the wake of President Obama's corresponding

executive order), which addresses vulnerabilities in American infrastructure by encouraging

companies to follow set cybersecurity standards. If it passes, Roberson says, it will help

safeguard water supplies by giving utility companies a way to justify the added cost of

security to their boards and customers.Wilhoit also supports the bill, although he'd like to see the federal government test the

specific software and hardware that utility companies are using. "If my system is a realistic

depiction of a real water pumping system," he says, then "compromising a real water

system would be very easy."

https://media.blackhat.com/eu-13/briefings/Wilhoit/bh-eu-13-whose-really-attacking-wilhoit-wp.pdfhttp://www.awwa.org/http://www.govtrack.us/congress/bills/113/s1353http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurityhttp://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurityhttp://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurityhttp://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurityhttp://www.govtrack.us/congress/bills/113/s1353http://www.awwa.org/https://media.blackhat.com/eu-13/briefings/Wilhoit/bh-eu-13-whose-really-attacking-wilhoit-wp.pdf