Hackers are testing our water supply systems

How can water and sewage companies defend themselves against hackers? Will we run out of water in our taps?

“No one had noticed this problem before. However, the recent spate of attempts shows that it is serious. And that it will get worse,” says Dr Maciej Niemir, who works in the field of artificial intelligence and cyber security.

What kind of cyberattacks are we talking about? For example, attacks on water treatment plants (Tolkmicko, Małdyty, and Sierakowo in February; Szczytno in May) or sewage treatment plants (in Wydminy and Kuźnica in 2024) or the August attack, which would have deprived the residents of one of the large cities of water. There were more, but not all of them were made public.

What did the February attack look like? We know this from a recording shared by Russian hackers on a Telegram channel. They set all parameters to maximum values – e.g., pressure, volume of filtered water per filter, and sedimentation time. They also changed the access PINs to the devices.

According to CERT Polska, the attack was possible due to the incorrect configuration of a device accessible from the internet. However, it did not cause any damage to the environment or people.

“We can see that for now, someone is doing this for fun, as a test, to build the reputation of a criminal group,” says Dr Maciej Niemir, “But there is also a message behind this: you are not safe. Criminals break into easier places as a form of training. Then we can expect worse, targeted attacks,” he adds.

End of the fun?

“We can see that hackers have identified water and sewage companies as easy targets. Often, no one even notices or reports an attack here. Cybercriminals are testing whether it is easier to disrupt the operation of, for example, 70% of small waterworks or one large one. The effects may be similar,” notes Włodzimierz Woźniak, an AI and cybersecurity expert at Łukasiewicz – Poznań Institute of Technology.

This effect may be a lack of water or a change in its parameters (e.g., too much chlorine), which will make it harmful to health.

Waterworks are part of critical infrastructure, which means that they must be specially protected, including against cyberattacks. However, protection requires financial outlays, which many companies cannot afford. Still, there are three things that every company can implement quickly and without major costs, say researchers from Łukasiewicz – PIT.

Firstly, make an inventory of all devices in terms of where they can be accessed and how they can be hacked.

Secondly, introduce network segmentation, i.e., separate the office network from the one that has access to devices. Hacking is often the result of carelessness or lack of knowledge (e.g., opening an attachment, clicking on a link). If, for example, there are two separate networks, the damage caused by a cyberattack will only occur in one of them.

Thirdly, prepare scenarios for crisis situations (so-called “what if” scenarios). This will allow you to respond more quickly and efficiently if such situations arise.

AI has entered the game

Artificial intelligence has given new opportunities to cybercriminals (e.g., to carry out more personalised attacks) and cybersecurity specialists (e.g., to detect suspicious activity).

“The results of research conducted by Carnegie Mellon University in collaboration with Anthropic are disturbing, as they show that in a simulated environment, artificial intelligence is capable of carrying out a multi-stage cyberattack on its own. In nine out of ten attempts, it achieved at least partial success, and in half of the scenarios, complete success. It is only a matter of time before similar techniques are used in real systems,” says Włodzimierz Woźniak.

There are approximately 1,900 water and sewage companies operating in Poland, and the network managed by these entities is over 515,000 km long.