Ransomware Attacks against Water Treatment Plants

According to a report from CISA last week, there were three ransomware attacks against water treatment plants last year.

WWS Sector cyber intrusions from 2019 to early 2021 include:

  • In August 2021, malicious cyber actors used Ghost variant ransomware against a California-based WWS facility. The ransomware variant had been in the system for about a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message.
  • In July 2021, cyber actors used remote access to introduce ZuCaNo ransomware onto a Maine-based WWS facility’s wastewater SCADA computer. The treatment system was run manually until the SCADA computer was restored using local control and more frequent operator rounds.
  • In March 2021, cyber actors used an unknown ransomware variant against a Nevada-based WWS facility. The ransomware affected the victim’s SCADA system and backup systems. The SCADA system provides visibility and monitoring but is not a full industrial control system (ICS).

Posted on October 19, 2021 at 6:07 AM14 Comments


John October 19, 2021 6:45 AM

hmmm…. Glad to see working backup plans.

Seems to me that working SCADA systems should only display measured data via a one way data connection [one wire serial port output?] to an internet connected machine.

I am running this setup. So far I have yet to have my serial data source hacked.

I did have a system data failure due to a roof leak… water drops on the PCB!!

Lots of fun :).


echo October 19, 2021 6:45 AM

Some American policy and regulation areas and practice seem very low quality looking at things from a European point of view.

Hedo October 19, 2021 7:39 AM

Less than two weeks ago, I had a very informative and very pleasant conversation with a young LE Officer (local to where I reside). We talked cyber a lot, extremely sharp for his age, he got out of US Military few years ago, and he is one of the very few on our local police force that digs the reality and the magnitude/importance of cyber threats, present and the ones to come. When we discussed SCADA and ICS, I told him that the legislators of present day are CLUELESS (not all, but most of them), when it comes to awareness of how easy it is, or would be, to conduct many sinister, evil attacks on our vital infrastructure. All our enemies need is the INTENT component.
The intelligent LE officer said that he is confident that the changes must and will come rather quickly, in terms of clueless (cyber-unaware) legislators not having the smallest chance of being elected/voted into any high office because here we are, in 2021, where literacy is determined by one’s knowledge of how to have basic/minimum measures in place when online so we’re not walking around with a target painted on our backs.

Cyber/drone warfare/defense capabilities are the way of NOW, and even more so of the future, so having Bruce Schneier as The President of The United States of America would be the COOLEST THING I could possibly witness, and live to see, in my lifetime, hopefully. Please do not laugh, Bruce knows the POLICY, and he knows the security. This would be the KICK ASS, the mother-lode President of the USA! And hopefully he’d set some standards that all other, future presidents of the USA, would have to meet and follow.
America deserves a President of Bruce’s caliber. Let’s get this thing started America. LET’S DO IT. Please. Bruce Schneier for President would be the NIGHTMARE for all our enemies around the world. It is the way of the world right now, later might be too late. God bless America, and Bruce Schneier.

Clive Robinson October 19, 2021 8:26 AM

@ ALL,

Why are we not looking at “cause and effect” rather than going “OMG Ransomware” or what ever the latest effect is.

Two causes to think about,

1, Insecure Systems.
2, Connected to world wide public access network.

Whilst there are other causes removing either of the two above would prevent the “effect”.

The simplest and the one with least impact –except to the bottom line– is to disconnect insecure systems from any external communications.

Thus the all important “hidden cause” which is “bottom line”. In the past utilities had no option but to put in place private extreamly limited are of access control systems and man the on site 24×365.25.

Now however neo-con / MBA mantra is about “instant profit” at the expense of all else.

So “Quick and shody, but with nice paint” is the “Slap lipstick on the pig” behaviour that those “in charge” of utilities and other infrastructure such as roads, bridges, drainage etc go for.

That is they trade a very small quick profit for a long term major disaster that will happen…

But just as long as it’s not in this quater, they will “Bank the Bonus”.

Whilst seeing the causes is getting easier, seeing the solutions is not.

Because trying to use either technology or legislation to solve what are societal problems, rarely if ever works, and almost always has “unexpected consequences” that cause further harms, upto and including “weaponisation”.

Impossibly Stupid October 19, 2021 10:17 AM

Color me unsurprised. I blogged way back in 2013 about an attempt to spam my site coming from the Los Angeles Department of Water and Power. I ended the post with:

Once the bad guys realize that a hacked machine on the inside of an important organization has more value than sending comment spam to a random blog, things are going to get real messy.

Even ransomware is a rather unsophisticated use of that kind of illicit access. It’s only a matter of time before we start seeing regular cyberwarfare attacks on infrastructure that make Stuxnet look tame.

John October 19, 2021 1:21 PM


I recommend the multiple network idea with the local network not connected to the outside net ever. Unfortunately is easy for some user to ‘plug-in’ for some reason or another!

That and core business data is on a PC never connected to anything else, doesn’t have USB, etc.

Sneaker net is still a good idea. But floppies are harder to find now.


Me October 19, 2021 1:38 PM

“Seems to me that working SCADA systems should only display measured data via a one way data connection [one wire serial port output?] to an internet connected machine.”

The company I work for sells “data diodes” for this purpose, which are basically fiber-optic “cables” without the cable, or the reverse signal.


Light source -> Light detector

I was happy to hear that we were taking security seriously and making intrusion through our interfaces physically impossible (at least until the customer works around it).

Clive Robinson October 19, 2021 3:33 PM

@ Me, ALL,

The company I work for sells “data diodes” for this purpose, which are basically fiber-optic “cables” without the cable, or the reverse signal.

What about “error correction”?

Whilst there are several ways to make one way data links, even when they have higher error protection mechanisms such as FEC etc, such techniqies are by no means 100%…

I’ve looked at a number of high end high through put data diodes in the past… and guess what, they used ordinary “feed-back” based error correction to control via a “reverse signal” the data flow in the forward direction…

Even in much lower capacity devices which clearly do not have a “reverse signal” your comment about,

at least until the customer works around it

Indicates what I have found in the past, which is some non security person “bridges back” in some way without adequate security measures to “improve reliability” or more correctly “remove the need for human intervention” to resend files etc.

@ ALL,

So when you are thinking about using a “Data Diode” primarily for security, you need to check there is no “error path” which just happens to be a “reverse signal”. Be it in the data diode or subsequently “bridged” in some manner that is not secure.

For those asking “Can you have a secure bridge back?” the answer is,

“In theory NO, practically the answer is also NO unless it goes through some specialized measures.”

These come under the “gap crossing techniques” and they require quit a bit of knowledge, not just about the “channel” but as importantly all the devices on eirher side. After all if someone puts something in a software update for software you use…

But for just the comms channel, the first thing you generally want to do is not just limit the “traffic types” to a very small subset, you also want a method to monitor and enforce it (instrumentarion driving gates).

Secondly you want to reduce the opporrunity of “time based side channels” which basically means,

2A, Reducing the bandwidth.
2B, Stopping time correlation.

So 2B needs firstly quite a large temporal independently random displacment, secondly independent re-clocking to stop jitter/phase based channels.

Then there are other side channels which I’m not even going to start in on here, but I have mentioned in the past when talking about “Energy Gapping” and gap crossing “Choke Points” that require instrumentation at all protocol levels.

As students at Ben Gurion University keep denonstrating there are very many ways energy that can carry information can go across conventional “air gaps”. These ways used to be hard, these days for various reaaons they are as the students denonstrate effectively easy.

So what level of security you need depends on what your actuall threat level is. As stuxnet demonstrated even though you take significant precautions you can still be easily compromised.

But… the problem of course is your perceived threat level, may not be correct. In the case of stuxnet Iran was in effect a “stepping stone” for the US to try to get at North Korea (which failed).

Any utility company has many customers some of whom may be considerably higher risk, thus being used as a “steping stone” needs to be taken into account in the risk assesment process otherwise what you percieve as your risk level may be well off what others think…

MarkH October 19, 2021 3:54 PM

@me, Clive, et al:

We had some discussion of “data diodes” a few years ago in reference to airliner entertainment systems.

Airliners are a special case for a variety of reasons, but when one-way data flow is useful, error correction may be dispensable.

For monitoring of an infrastructure plant, I can imagine status messages emitted once per second.

In typical cases — like a water treatment plant — changes significant to the safety or stability of operations will take place over a span from minutes to hours.

Even if a substantial percentage of updates are lost in the communication channel, the people and/or automated systems remotely monitoring the plant have a very high probability of receiving news of an important status change within a minute.

If the corrective action includes sending a person to the facility, the small delay resulting from partial message loss is inconsequential.

I’ve worked most of my career with industrial remote monitoring systems; such time-frame considerations are typical.

mexaly October 19, 2021 5:57 PM

Part of infrastructure repair will educating operator/managers about the importance of good network security.
Or not.
We can only hope it takes a limited number of disasters to get past negligent security.

MarkH October 19, 2021 7:03 PM


The “skipping record1” of security is that outside of a few traditionally security-focused domains, decision makers are reluctant to spend money on it.

Even so, I’m cautiously optimistic. Heavy losses — financial or social — shift attitudes, albeit with frustrating slowness.

A non-security example is the Three Mile Island nuclear accident, in which health effects were nearly zero, but economic losses (mainly to the power plant operator) were astronomical.

After that, certain regulatory standards were greatly increased, and the utilities operating nuclear plants were willing to pay the money: spending millions to save billions appeals to the most ferocious bean-counter.

I expect that there will be some series of ugly infrastructure attacks … but in reaction, government and industry will, over time, mandate effective (not just cosmetic) security standards.

  1. For younger readers, skipping records would produce protracted repetition of a brief sound. 

MarkH October 19, 2021 7:13 PM


Some of the infrastructure or military clients I’ve dealt with practice strict isolation of their operational networks.

Not only are they kept apart from the public internet, but also any new piece of equipment for use inside the operational network must be vetted before permission is granted to connect.

Where connections to the “outside world” are needed (for engineering and test purposes, e.g.) these are done via controlled and policed network bridges.

While none of this is bulletproof, these organizations are in far better posture than those still hooking SCADA systems to the public internet.

Peter A. October 20, 2021 8:57 AM

I wonder why, while talking about insecurity of Internet-connected SCADA systems, it’s quite often that water treatment plans get most publicity. It’s irrational. There are many other industrial systems in which control or even monitoring disturbance could have far, far more catastrophic consequences, like huge fire, release of dangerous chemicals, etc.

What could go “horribly” wrong in a water plant? Water is not flammable. Dangerous chemicals are often present, but their supply is very limited compared to the volume of water that goes through, and dosage is limited physically, it’s not like all taps in the county suddenly start dispensing concentrated hydrochloric acid.

Denial of service may be a problem, probably, if one manages to stop the pumps in a pumped facility. But nowadays you can cause DoS by just peeing into the reservoir (well, in Oregon at least). Substandard water quality is also a possibility, when the treatment feedback loop is disturbed, and may sometimes go undetected for some time. However, both of these problems occur “naturally” without hacking SCADA, caused by regular malfunctions, and recovery protocols are well-established.

echo October 21, 2021 11:39 AM

@Peter A.

I wonder why, while talking about insecurity of Internet-connected SCADA systems, it’s quite often that water treatment plans get most publicity. It’s irrational. There are many other industrial systems in which control or even monitoring disturbance could have far, far more catastrophic consequences, like huge fire, release of dangerous chemicals, etc.

Perhaps it’s the only thing lazy or overworked journalists have the time to get their head around. Another though is stick to relatively benign things like water treatment plants as a thought model rather than expanding the discussion to other equivalent plant at risk because it gives the wrong sort ideas and you end up with a security problem multiplying one hundred fold.

There have been times when I have winced when some people mention certain things as well as eye rolling at over-engineered solutions which are more misinformation than anything useful.

A large axe to site data cables solves a lot of problems. So what if plant goes offline for a few days. It would get people putting proper systems in place! Good heavens they may even learn how to use a pencil.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.