When hackers penetrated a small water utility in North Carolina three years ago that debilitated its IT systems, operators there refused to "bow" to hackers and fork over ransom money to make the assault stop.
That 2018 cyberattack was part of what experts say is a fast-growing and evolving threat in the water sector and a glaring example of the type of attack — ransomware — that earlier this month shut down the East Coast's largest fuel supplier, the Colonial pipeline.
The 2018 attack began in the city of Jacksonville, N.C., on Oct. 8, 2018, when operators at the Onslow Water and Sewer Authority, or ONWASA, began experiencing "persistent virus attacks," CEO Jeff Hudson said in a statement. Hackers barraged the water utility with the "Emotet" malware, a tool that typically spreads through malicious emails and gives hackers a back door into victims' networks for launching additional attacks.
At the time, North Carolina was still reeling from Hurricane Florence, which pummeled the East Coast, causing large-scale damage and killing 53 people. ONWASA serves more than 150,000 people, including the military base Camp Lejeune.
Nine days after the initial Emotet cyberattacks began, Hudson said, the malware launched a sophisticated ransomware variant called "Ryuk" in the early morning hours, prompting the utility to bring in outside experts. Despite multiple firewall and antivirus protections, the ransomware spread quickly.
Then came an email from "cyber criminals" demanding ONWASA pay a ransom, wrote Hudson.
But utility officials stood their ground: "ONWASA will not negotiate with criminals or bow to their demands," he wrote.
While ONWASA refused to pay the undisclosed ransom request, the attack on a major East Coast pipeline earlier this month resulted in a much different outcome. The CEO of Colonial Pipeline Co., Joseph Blount, confirmed to The Wall Street Journal this week that the company paid $4.4 million in ransom in what's now being ticketed as the largest successful cyberattack in the nation's energy sector. Blount, according to the newspaper, said he authorized the payment because Colonial didn't know the extent of damage or how long it would take to bring the pipeline's systems back up.
Experts say it's a sign of widespread, nascent vulnerability that reaches across all sectors.
"What Colonial tells us is that everybody's susceptible to these types of attacks," said Michael Arceneaux, chief operating officer of the Association of Metropolitan Water Agencies and managing director of WaterISAC, the sector's threat sharing organization.
Hackers are increasingly using ransomware, a type of malware, to steal and encrypt data from companies and then threaten to leak that information or block access until a ransom is paid, said Marty Edwards, vice president of OT security at cybersecurity firm Tenable and a former Department of Homeland Security official.
When it comes to energy and water systems, hackers force companies to halt operations or go offline and then demand payments to unlock computers and get plants back up and running, he said, adding that it's a growing and lucrative business. Edwards said it all comes down to how good the backup and disaster recovery plans are for individual companies, plants or facilities.
"Right now ransomware is probably the most prevalent cyber risk to an organization," he said. "Criminal organizations have pivoted toward it in a big way."
Kevin Morley, manager of federal relations for the American Water Works Association, a trade association for about 4,300 water utilities, agreed the Colonial hack exposes weaknesses that reach far beyond the pipeline or oil and gas industries.
"It demonstrates the reality of the threat environment: There are entities out there that have criminal intent and there's financial incentive," said Morley.
"Assuming they continue to be successful," he said, "they're going to continue going back and doing what they just did."
A growing threat
The energy and power sectors have long been vulnerable to cyberattacks and ransomware given their use of aging operational systems that can be outdated and unsecure, said Edwards.
What's changed is that hackers are increasingly taking advantage of those weaknesses and growing more sophisticated, surgical and persistent in their attacks, he said.
Whereas in the past hackers used a "spray and pray" method of sending out ransomware across a host of organizations, Edwards said, threats are now more organized and targeted.
"You can go on the dark web and buy a ransomware tool kit or you can be a multilevel-marketer type person and be an affiliate that uses ransomware from a particular company," he said. "These are run almost like corporations."
At the same time, companies at the receiving end of those attacks are becoming more transparent and sharing information with stockholders or local utility boards, he said.
Last year, for example, the Cybersecurity and Infrastructure Security Agency said an attack using the Ryuk ransomware hit a natural gas company, forcing the shutdown of a pipeline for two days (Energywire, May 10).
In another case, hackers behind the "Nefilim" malware threatened to leak hundreds of computer files allegedly stolen from oil and gas producers in Houston (Energywire, May 12, 2020).
Private companies like the operator of Colonial pipeline and ONWASA are being forced to decide whether to pay.
In the case of ONWASA, Hudson said paying ransom money would "fund criminal, and perhaps terrorist, activities in other countries," and there's no expectation that doling out that money would halt future attacks. He also noted that the FBI advised against paying the ransom.
Edwards said the government in general recommends not paying ransom because it can encourage more attacks.
But he also acknowledged private businesses are forced to weigh paying a ransom with the amount of time it takes to get a system operational again.
"It's ultimately a business decision," he said.
Beefing up EPA oversight
The growing cyber threats continue to draw attention at the highest levels of government and on Capitol Hill.
The Biden administration this week said its infrastructure plan will include billions for cybersecurity efforts, and both chambers of Congress are working to push through elements of that package that include specific provisions for the water sector.
Arceneaux said he's working to beef up funding for EPA's cybersecurity program as part of S. 914, one of the first parts of a broader infrastructure package to pass the upper chamber.
That bill would create a new fund — $50 million for fiscal 2022 through 2026 — to be used to boost cybersecurity at water and wastewater facilities, as well as language specifying that cybersecurity projects are eligible for federal grants.
It would also require EPA and DHS to work together to identify which water systems would pose a threat to public health if compromised by a cyberattack.
Arceneaux said EPA's budget needs to be significantly increased to address cybersecurity on the water front. And DHS, he said, has a lot of great resources like free cyber assessments that the water sector relies on, but there are long waiting lines and "there's not enough to go around."
"I think everyone agrees the language is just the starting point for discussions," said Arceneaux.
Major gaps in oversight of the water sector's cybersecurity defenses came to light last year when hackers successfully manipulated a small Florida water utility. Experts say that while some utilities have done a good job hardening their defenses, others are lagging. Notably, there was no formal cybersecurity oversight of water utilities until congressional passage of the America's Water Infrastructure Act of 2018 (Energywire, Feb. 10).
Now, under that law, EPA is in the process of collecting data from water utilities on their cyberdefenses to assess hacking risks.
But Edwards said that while that's a positive step, it's also happening at the "speed of government" while cyber criminals move and evolve much faster.
Regardless of the sector — be it water, transportation or energy — Edwards said there need to be baseline standards for thwarting cyberattacks. There also needs to be more investment into cyber protections, which can be challenging for water systems that recover costs through ratepayers.
Morley added that other challenges plague the water sector. It can be difficult, he said, for some utilities to digest complicated cybersecurity jargon.
At the same time, federal cyber advisories from agencies like DHS can be overly complicated and difficult to understand, which can hamper utilities from seeing themselves in the scenarios that officials lay out and implementing appropriate risk management.
"I think there's a potential rabbit hole that people go down, expecting this to never happen," said Morley. "At some point, your system's going to be challenged."