WaterISAC is aware of two inaccurately described incidents, the details of which were previously investigated and corrected, recirculating as part of the national discussion on the security of the water and wastewater sector. Examining previous security incidents is beneficial to understanding the sector’s threats and vulnerabilities and security posture, but it is essential to ensure such conversations are informed by accurate information. While the sector, like all critical infrastructure sectors, does experience security incidents and takes steps to guard against potential consequences, the following two items are being inaccurately cited as examples of intrusions:
- Kemuri Water Company (2016): WaterISAC followed up with Verizon regarding this incident, which was discussed in the company’s Data Breach Digest for 2016. It turns out that what Verizon reported as occurring at one utility – with the fictionalized name of Kemuri Water Company – is actually a compilation of hacks against more than one organization, perhaps even in different countries. The individual hacks described by Verizon may actually have taken place, but they didn’t occur against one organization. Similarly, all of the reported vulnerabilities may have been real, but they can’t be attributed to one water system. Verizon wove together the different incidents and vulnerabilities to present a cohesive case study.
- Water System in Illinois (2011, also recently reported as 2019): An instance of remote access from a foreign country was subsequently determined to be the result of a contractor accessing the system while on vacation in another country, which he had been requested to do. Investigators determined a pump failure following the contractor’s access to the system to be coincidental.
WaterISAC supports robust information sharing and transparency between utilities, their security partners, and the communities they serve and recognizes the importance of a holistic approach to security. As with all high-profile incidents, it is crucial to learn lessons from what occurred, but it is also important to ensure future actions are not misguided by inaccurate information.
As always, utilities are encouraged to report any incidents or suspicious activity to ensure that the sector’s security initiatives, including WaterISAC’s Quarterly Incident Summaries and best practice resources, are informed to the greatest extent possible by first-hand accounts of what utilities are encountering and defending against.