Water Supply Security: Is it time to ditch the World Wide Web and return to peer-to-peer intranet?
WT Interview with Dr. David Murakami Wood, Professor of Critical Surveillance and Security Studies, Criminology, Faculty of Sciences at the University of Ottawa
WT: Thanks for doing this David. When you did the CBC interview, you mentioned water plants specifically, and what could be security issues there. Can you tell me, why water plants?
Dr. David Murakami Wood: Water plants are one of those large-scale infrastructures that are very, very unprotected.
Even in the context of a more general consideration of infrastructure, which is increasingly infiltrated by the internet of things, by the internet, these are in general very insecure. Water plants in particular are very insecure indeed.
Systems controlling particular additives to the water have been hacked in the Middle East, this has already happened.
We know (attacks on the water supply) can be done. It’s a big threat. I mean, if you can adulterate water basically by the click of a keyboard without really having to break into the plant, then we’ve got a big problem.
WT: When you talk about breaking in and not breaking in, what do you mean?
Murakami Wood: Most of the infrastructure is either in so-called Smart Cities or smart technology. Components for Smart Cities are made in large quantities. The particular sensors and the systems that uphold (municipal) infrastructure don’t generally have very strong default security settings. In many cases, companies and cities are very much like people: when we buy technology, we don’t move them off default settings, and they stay that way, on the factory settings.
Unless you specifically pay attention, having training on all these devices, on the plethora of sensors that go into making up the Smart Cities of today, unless we pay attention to security, there is going to be a deficit of security. Water plants generally don’t pay much attention (to cyber security). Water managers may not think there is much of a threat, but we should. Going way back in` history, water supplies have been a target.
WT: There have been one or two attacks on water supplies in the USA, and the Middle East. If I am working at my desk in a water plant on Windows, is there something I should be doing? Is there anything I can do that is more important than some other things?
Murakami Wood – I don’t know what you are exactly looking at, I am not an expert at water treatment systems or their security, per se. What I am suggesting is that if you have sensors in your water plant that are “off the shelf”, bought in large numbers, go and adjust the factory settings. Find the manuals, and change the settings, and you will have more control over security.
In many cases, people won’t have done this at all. That’s the first thing.
Next, think about how your system is connected and to which network. I would tell people to think about their cyber-security, the first thing you should do is think about whether (water plant operations) need to be online at all.
It is certainly possible to have a very good intranet, a very good system designed to look after its own water supply that has no actual connection to the internet - the wider, network of networks – at all. Often, you don’t need to send (water management data) over the internet, or through an intermediary such as Microsoft or any of the large cloud platforms. In many cases, when there are vulnerable systems at risk, it makes more sense not to do that at all.
Of course, then you’ve got to have some in-house expertise, and this can be a problem since we have outsourced our (cybersecurity) expertise. In many cases, now we no longer have IT security experts on hand at the water plant, at the power plant or anywhere else.
WT: If they don’t have an IT person in-house, perhaps an inquiry to upper management to see who handles IT for the operation? As of late, at conferences, “experts” have been telling utilities to do some type of cyber-security audit on their systems. Can you tell the viewers a little bit about what an audit is, so that when they do talk to management, perhaps they could bring this up as well?
Murakami Wood: I am not a hands-on security expert, so I am going to tell you what I would do; it may not be what a professional security expert in the field would actually do.
The first thing I would do is assess all of those small devices that are used in the surveillance of the water system itself.
If you have a lot of sensors, for example, find out which company they are from, how do you set them up? How you actually make them secure in the first place? Many people have never done that. That’s the first thing, actually making a count, and an account of all the different devices you have feeding into your network. Then, think about network security.
It’s one thing to have secure devices, but the devices that are networked with another route can be hacked. Examine your network, is it an intranet? In this case, you are probably much better off because it is closed to the outside. If it is not an intranet, think about making it one!
Ask, is it actually necessary to have (water system controls) on the internet as such? If you have got an internet-based system and you are using Microsoft 365, which every institution uses these days it seems, to think about where your data is going. Microsoft has security features but it has its own problems. Your data is going elsewhere, to the (cloud), the US likely, that can be a problem.
All of these things must be considered, right from the sensors that are collecting the information in your water plant and then to the macro, to the network level, at each of those levels there are going to be vulnerabilities. That’s what you need to assess, find the vulnerabilities and fix them quickly. The problem with outside hackers is they can get in at almost any point. Once they are at the sensor level, they can use that access to go anywhere.
WT: There is a lot of truth to that. What is your Surveillance Studies network, and what is Big Data Surveillance and Security Intelligence? I am looking to explain to those in our industry, whether water or wastewater treatment, what is this? Is this something a water plant operator needs to worry about?
Murakami Wood: I don’t think they need to worry about it, the big question is whether you are already doing it or not.
First of all, Surveillance Studies, is what we would call an interdisciplinary field. It’s not a specific discipline like sociology, geography or engineering. It’s a place where lots of different people come together who are interested in surveillance as an issue. They could be interested in it from a practical point of view, they could be interested from a political point of view, or from a social point of view. It’s a field which tries to think about how society, in general, has become increasingly organized through means of surveillance. So, whether you are talking about health or education, or in the military or in policing, or of course, even in water supplies, surveillance is happening. This is not necessarily the practical sense, it’s not advising on how to do better surveillance, but interested in assessing how (surveillance) affects people in society more broadly.
When it comes to Big Data, what we are talking about here mostly is this trend toward the accumulation of greater and greater amounts of data, often accumulated for no (defined) purpose. Much of this data, especially from social media, has been collected by companies like Google and Facebook, initially without any particular purpose in mind. It was only in the early 2000s that companies like Google realized they had a goldmine on their hands, realizing this massive amount of data, unsorted and unused, could be used to start to profile people, turning data into marketable products, especially for selling to advertisers.
It’s also become something of interest for institutions like health and education. People starting to realize, there is an awful lot of marketable data there, not marketable in a capitalist way, but maybe useful for improving health and education. At least, that was the original impulse. Of course, you can never really separate the improving from the marketing. There is always someone that wants to make money off this.
It may mean something within water management depending on how water management is being done. Increasingly, the water industry is becoming dominated by a smaller and smaller number of very big players. Within Europe where I come from, there are only, I think, two or three major players in the water industry now. They have taken over everything. They are certainly operating on a Big Data scale; they are accumulating data on all aspects of what they do. They certainly apply it to the overall strategy of their companies and to the management of their plants.
I think, if Big Data is not already being used by many of the people reading this, it will soon be using them!
WT: Can you talk to me a little bit about cyber-security years back? When I grew up, the whole idea of security was around peer-to-peer systems. I have a computer, I have a modem, that modem calls a number, another modem answers and then I am connected to my central network. Where did peer-to-peer go? Why is the security of peer-to-peer not offered front and center to these infrastructure suppliers?
Murakami Wood: It’s still there, there is still peer-to-peer. Really what’s changed, it’s gone from “one to one”, to “one to many”.
A lot of what happens now on the internet isn’t so much individuals communicating with one other person, it’s people essentially broadcasting aspects of their lives to many, many people. There are thousands upon thousands of people broadcasting themselves, and they may get something back and they may not. So, the internet turned into a kind of marketing machine for individuals, essentially to sell themselves, but of course then also the suppliers, the platforms that provide all these services are there to harvest data on all of these people doing this broadcasting, making enormous amounts of money packaging the profiles of people to advertisers. They can say “this kind of person might like this [product/service]”, and “those people will buy that” and sell those profiles.
The internet has changed from being a system facilitating peer-to-peer connection to now a system that facilitates the marketing of large amounts of information based on people’s activities. That is the primary driving force now.
WT: We are the product.
Murakami Wood: The thing is, we are not JUST the product – we are the producer, we are the consumer, and we are the product.
We don’t realize our power now. If we are all those things, potentially we have a lot of power collectively. Individually the information we provide is virtually worthless, together, it’s billions. The question is, how can we act collectively (to realize the potential)?
WT: In our experience, the water industry, whether water or wastewater operators have not said to us at conferences, “Cybersecurity is number one on our to-do list”.
Do you think it will have to be like so many other media events, where someone does hack into a water plant, does hit the chlorine button, adding more chlorine or less? Do you think it will come to that? Or do you think water companies across the country will start to explain to their employees and stakeholders that cyber-security is a lot bigger than people have thought until now?
Murakami Wood - This has already happened, in 2018, in Saudi Arabia. There was a cyber-attack on a water supply of exactly that nature.
It’s not just a theoretical possibility, it has happened, and it can happen again.
In a CSIS report that just came out, these kinds of things are mentioned, (attacks on public infrastructure) are happening. Foreign actors being able to access water plants and being able to change the concentrations of additives in the water is a real threat. With the additives and metals we have on-site at many of the water plants, there could be very serious consequences, depending on what is being put in the water. In large quantities, these additives can be extremely dangerous.
It’s not so much IF it happens again, but when it happens again. (Cyber-security) needs to be on the agenda in the water industry.
WT: I certainly want to highlight your organization because you are doing the interview. Are there other organizations that might help water plants get up to speed on their cyber-security?
Murakami Wood – I don’t know of any organization that is dealing with infrastructure surveillance and security on that level. There may be, but I don’t know of any.
There are experts involved in Smart Cities security, hopefully, the municipalities have some interest in this field. It could be that people could apply their expertise from Smart Cities security to water security.
There are lots of investigative and academic groups at work on hacking. There is a citizen lab in Toronto, working on hacking infrastructure. They are exposing (risk/vulnerabilities) but are not really into practical security.
WT: I really want to thank you for doing this.