Tag archive

cybercrime

Officials Worried About Wyoming’s Vulnerability to Water Supply Cyberattacks

in News/Crime
14288

***For All Things Wyoming, Sign-Up For Our Daily Newsletter***

By Jen Kocher, Cowboy State Daily

There was a time when the greatest vulnerability to a municipality’s water system was a teenager, drunk, climbing a water tower, opening the hatch and getting rid of his beer, Mark Pepper, executive director of Wyoming Association of Rural Water Systems, said.

Then this past January and March, a hacker infiltrated a city’s supervisory control and data acquisition (SCADA), which gave them all a wake-up call to the seriousness of cyber threats to the state’s fresh and waste water supplies. 

A wake-up call that has been four years in the making as cyber threats started creeping in a few years ago, and systems have been trying to address these types of issues ever since.  But now, we don’t have the luxury of waiting any longer to really dig in and get systems up to speed, Pepper said.

He won’t comment on which town was potentially hacked only to say that they were able to shut it down before any malfeasance was done to the water supply.

Water Systems Infiltrated

What might have happened? One needs only to turn to a water treatment plant in Oldsmar, Florida, whose alert plant manager diverted a potentially serious threat last February when he saw his cursor moving around on his computer screen, opening various software functions controlling the water treatment.

The manager witnessed several functions being manipulated, including watching the sodium hydroxide, commonly known as lye, getting boosted up to 100 times its normal levels, according to the Associated Press (AP) article shared by PEW. The compound, which is also the main ingredient in liquid drain cleaners, is used to control acidity and remove metals from drinking water.

Had the hacker been successful, the 15,000 or so residents of the town may very well have been victims of lye poisoning that causes burns, vomiting, severe pain and bleeding.

Luckily, the operator was able to reduce the inflated levels of sodium hydroxide back to normal level once the hacker left his computer. Even if the hacker had succeeded, there were other safeguards in place to keep the water balances in check, the article noted, adding that the public was not actually in risk.

But still.  

For Pepper and others in the field, the hack was enough to get their attention to the potential vulnerabilities in Wyoming’s water and waste treatment facilities.

Experts Paying Attention

Pepper shared these concerns in a recent forum at the CyberWyoming Alliance virtual conference in early October during a conversation with Texas computer network intrusion and detection expert Dr. Gregory White.

In the conversation, the two discussed the inherent vulnerabilities of Wyoming’s water supply networks and the importance of both residents protecting themselves by keeping at least a two-week supply of water on hand as well as the importance of increased cyber and IT training for water plant employees and financial buy-in from the state legislature and government officials.

Wyoming’s rural, relatively unpopulated towns and cities present a unique challenge to the state’s water infrastructure, Pepper noted.

The chairman of the U.S. Senate Committee on Environment and Public Works, Tom Carper, D – Del, would agree. During his opening comments at a committee meeting on July 21, Carper addressed the growing threat of cyberattacks on the nation’s critical water infrastructure.

“Cyber vulnerabilities in our water systems represent unique national security challenges. A major breach in our water infrastructure system could jeopardize the safety of our drinking water and impair communities’ ability to safely dispose of harmful waste, threatening human health,” he said.

Pepper is well aware of the risks.

780 Public Water Systems in Wyo

Currently, there are 334 community water systems in the state, 96% of which are owned and operated by municipalities with the rest overseen by special districts. In addition to these systems, there are more than 450 non-community water systems that must comply with the Safe Drinking Water Act but do not employ licensed water operators that are mainly guest ranches, dude ranches, bed and breakfasts and camp grounds.

In total, that adds up to around 780 public water systems with only 33 serving populations of 3,300 or greater. The vast majority instead service towns with population of 3,300 or fewer residents with 92 percent serving populations under 500.

This presents an enormous challenge when it comes to getting employees trained and systems updated in keeping with the Drinking Water and Wastewater Infrastructure Act of 2021 passed by Congress at the end of April by nearly unanimous, bipartisan consent. In part, the new law reauthorizes programs supporting water infrastructure with the goal of providing safe drinking water as well as wastewater facilities. 

In tandem is the Safe Drinking Water Act (SDWA) enforced by the Environmental Protection Agency (EPA) that dictates drinking water standards for more than 90 contaminants in the interest of public health.

Under SDWA, all public water systems regardless of size are required to have an emergency response plan that should be updated as needed continually.

Wyoming met the timeline for the assessments for systems over 3,300 and is on track to meet the updated ERP requirement, according to Pepper, which dully made it clear that some of the computer systems and level of cyber awareness and training was by modern standards woefully out of date, he said, indicating a need for investment in both the human and technological upgrades in water infrastructure and training.

There’s a significant cost to doing both, Pepper acknowledged, as he and his association continue to encourage that these upgrades are made in the protection of public health.

Five Attempted Hacks So Far

To date, Wyoming has experienced five attempted hacks to its rural water systems. Two of those were the aforementioned attempted infiltrations in the municipality’s SCADA system.

They were interrelated attacks, Pepper said, due to the IT employee’s inability to completely root out the ransomware (albeit, a very sophisticated attack) in the first attack which left a backdoor open to vulnerability which the hacker exploited.

It was an auxiliary computer tied to the main computer system and the FBI and other agencies conducted a forensic investigation, Pepper noted, to which the results are still pending.

The other three infiltrations came through emails to the city clerk and other employees in email phishing scams. Though the water systems were not in direct jeopardy as a result of the attacks, the computer system governing billing and other functions were essentially shut down for a week.

Pepper worries that supply chain phishing scams will be the next scam on a long list given that nefarious individuals will no doubt want to exploit national and international clogs in the supply chain by too-good-to-be-true discounts on chemicals and PVC pipe already in short supply.

The biggest vulnerabilities, however, from a chemical standpoint are that hackers will be able to get into these systems and manipulate the legal limits of chemicals for disinfection and a myriad of other chemicals used to treat source water into drinking water which could lead to serious public health outbreaks.

Many of these attacks, he believes aren’t even targeted.

“I think a lot of hackers don’t know the effect but are sitting around drinking beer in a foreign country or wherever they are and get a hit and just start playing around to see what they can do,” he said. “In some respects, they are seeing what they can manipulate and what control systems are hackable.”

He doesn’t think that they’ve had any of their systems specifically targeted or whether the attacks that have happened are malicious intent. He just doesn’t know.

Scary Stuff

What he does know, however, is the seriousness of what such a hack can do to Wyoming’s vital water and waste treatment operations.

“If someone wanted to overdose chlorine to the point that a person filled up a glass and drank it, it could kill someone,” he said, “or a small community could drop dead of chlorine gas if they all turned on their faucets at the same time or had a release from the plant.”

On a positive note, they have partnered with expert IT people to provide training to water treatment plant managers and operators which is a great start, he said.

“The key is to get people trained and aware,” he said. “Training people to recognize what is happening and how to prevent problems and fix them and to also be aware of phishing email scams and to have enough awareness to know who to call when an issue arises.”

The latter proves vital in small, rural communities where the city government is tied to everything in town and where one contaminated computer system can have a larger reaching impact both on IT systems and facilities.

More importantly, he said, is raising awareness and convincing local and state government to make the investments in keeping their water supply and treatment plants safe.

Paying For Security

There seems to be a big disconnect on the cost of water, which for whatever reasons, raise the hackles of tax payers. That and potholes, he noted. He hears every day from Wyoming residents who complain about the cost of their water bill, and even watched a local mayoral candidate campaign solely on the promise of cutting water costs to the town.

“If people can flush a toilet or turn on the faucet that they are happy,” Pepper said. “They don’t care how it got there or what it cost to treat it. People will say that water should be free but will think nothing about going down to the local 7-11 and paying $1.69 for a 12-ounce bottle of water, which is not as regulated as tap water by the way.”

Yes, water might be “free,” he noted, but it costs a lot to treat it and deliver it to residents.

In the meantime, he’s focused as he says to crying to whoever will listen about the potential vulnerabilities in the state’s water systems.

Apart from paying a hefty ransom to unlock a computer system, the worst-case scenario involves potential doses of chemicals that make water deadly or cause serious public health risks due to contaminants in the disinfection process that might affect water quantity when pumps are shut off or water flow is impacted, allowing deadly bacteria to build. Only a fraction of Wyoming municipalities is currently able to manually operate their systems in the case of power being shut off.

Worst case scenarios are these effects to water quality or quantity that create potential public health risks on a small or massive scale.

“That’s my number one fear,” he said. “Number two would be ransomware shutting down the system that prevent us from operating or delivering water.”

The most recent hack was an eye opener for him and others, he said.

“The criminals are always one step ahead of figuring out the next scam.”

***For All Things Wyoming, Sign-Up For Our Daily Newsletter***

Wyoming Hacker’s Brief: A Weekly Report on the Online Scams Happening in Wyoming

in News
13845

***For All Things Wyoming, Sign-Up For Our Daily Newsletter***

By County 17

Information for this week’s Hacker’s Brief is provided by CyberWyoming Alliance, a 501c3 nonprofit affiliate of CyberWyoming. 

Living Proof Now Vital Records Scam: A Wyomingite reported a website called LivingProofNow.com that claims to get birth and death certificates for you without hassle.

However, the citizen never received confirmation after paying $49 and found out from his credit card statement that the Living Proof Now is in Spain.

CyberWyoming researched the issue and found that vital records website scams are common.

In fact, in looking at the Living Proof Now website and clicking on Wyoming, we found this buried disclaimer: “Before we go any further, it’s important that you know…We are a privately owned website that is not affiliated, owned or operated by the U.S. Government or any government agency. You must send your mistake-free application to your state’s Health Department. You must pay any required fees directly to your state’s Health Department or other government agency.”

So, basically, pay Living Proof Now $49 then continue to work with the local government. Thus, their claims of getting your hassle-free birth or death certificates are bogus.

MoneyGram Scam: An email impersonating Money Gram with the subject line of ‘URGENT NEEDED’ from Frank John at mgram4458@gmail.com was reported by a Sheridan citizen.

The email asks for your personal information (including your name) to access funds that are supposedly in your name at the MoneyGram office.

CyberWyoming Note: MoneyGram made the new headlines when they settled with the FTC in 2009 and agreed to make changes to make it harder for scammers to use MoneyGram. There have been all sorts of scam emails since then. 

Free Bitcoin Scam: If you receive an email from gekugin@gmail.com with the subject line of “Erpz 5 Pvhll 7 Cuh 1” and an offer called Free Bitcoin – PYEC, a Casper citizen wants you to know it is a scam. Do not click on any attachments and remember that if the offer is too good to be true, it probably is.

Mrs. Kristalina Georgieva is Not Holding Funds from Africa for You: A Sheridan citizen reported an email scam that requests your personal information from parfaitaguidiguo@gmail.com or mrskristalina9898@gmail.com.

The email impersonates the International Monetary Fund and the legitimate director, Kristalina Georgieva. The subject line is ‘Dear beneficiary’ and the greeting is ‘COMPLIMENTS.’  (It seems like the two should be reversed, so our guess is that the scammer got their programming fields mixed up.)

Another IMF Impersonation Scam: If you receive an email from smithadi763@gmail.com, paul38713@gmail.com, or pm3628587@gmail.com claiming to be Mr. Paulson EE and asking for your personal information to provide “compensation funds for scammed victims” from the IMF (International Monetary Fund), note the irony and delete it. Reported by a Sheridan citizen.

Military Impersonation Scam: If you receive an email from the US Army Force at file8119@gmail.com or officefile548@aol.com claiming to be a Captain in the US Central Command in Syria and asking you to help him hide money he found that had belonged to ISIS, know it is fake and that it has a more devious purpose of trying to hurt the integrity of our military officers.  Reported by a Sheridan citizen.

Why am I getting Facebook suggested friend notifications via email when I’m not on Facebook? This question was recently posed by a Wyomingite.  While our research wasn’t conclusive, it could be because the What’s App application shares information with Facebook. However, this citizen didn’t use What’s App either. Err on the side of caution.  Block the sender and delete the email. Don’t click on anything in the email. Unsolicited emails should always be viewed with suspicion.

Advice on How to Clear Malware from Your Computer: First of all, warning signs that your computer may be infected include an abnormal and dramatic slowdown of the computer’s speed, if the hard drive won’t stop running or if the hard drive fills up unexpectedly, system crashes, software programs seem to misbehave, you get a lot of pop-up messages inviting you to click a link, or your security software won’t run. What to do? Disconnect your computer from the internet, restart your computer, and run a scan using your antivirus software. (Purchased software is better than free software.) If your antivirus software has been uninstalled, you may need to reinstall it before you disconnect from the internet.

Natural Disaster Scam Alerts: With the floods and hurricanes we have recently seen, be aware of bogus fundraisers, crooked contractors, and flood damaged car scams.

MS-ISAC Patch Now Alert: The Multi-State Information Sharing and Analysis Center (MS-ISAC) has published a patch now (update your software) alert for Google’s Chrome browser, Apple operating system prior to 12.5.5, Apple’s macOS Catalina prior to Security Update 2021-006, and VMWare’s vCenter Server products. If you use these products, make sure the software (or firmware) is updated.

***For All Things Wyoming, Sign-Up For Our Daily Newsletter***

Go to Top