Web and Flow: Protecting Water Supply from Digital Attacks
Whether it be riding a Lime, ordering UberEats or borrowing money, the internet has streamlined and revolutionised the way we do things. But, as Uncle Ben Parker famously told Peter Parker in Spider-Man, “With great power comes great responsibility”.
The internet is great, but it also poses even greater security challenges and in engineering areas you may not realise.
Hunter Douglas from the Environmental Engineering and Management discipline has just had his first author technical note published from his Masters’ research, covering the vulnerability of water supplies to cyber-attacks.
We caught up with Hunter to ask him about his Master’s Research, what it was like working with MIT-SUTD and if Siri could, in theory, really hack your neighbour’s water meter.
Your Master’s Research is titled “Pressure-Driven Modeling of Cyber-Physical Attacks on Water Distribution Systems”. How would you describe your findings in 10 words or fewer?
Modelling helps show how vulnerable water systems are to hacking.
How much time and effort went into your research? Were you working on this as well as your day-to-day projects at T+T?
My co-authors and I submitted this paper just as I finished up my Master’s programme at the Singapore University of Technology and Design (SUTD), back in July 2017. When it came back from review it required some pretty major edits, and so I worked on revising it in my spare time after work. As anyone else who’s submitted a paper to a journal can attest, it’s a lengthy process!
What was it like working with the team from MIT-SUTD?
SUTD is a really new university, established in 2009 in collaboration with MIT (the one in Boston, not Auckland). I was really lucky to be offered a place on a scholarship programme that saw me completing two, one-year Master of Engineering degrees over 2015-2017. The professors and students I met were incredible; some really bright people with an infectious determination to use science and engineering to improve the world.
So in theory, if technology fell into the wrong hands, could I ask Siri to hack into my neighbour’s water meter?
Yes, we’re not too from that! As things like treatment plants and pumping stations become more reliant on digital control systems, and as these systems become increasingly connected to the internet, the risk of cyber-physical attacks gets worse and worse. With the right access, you could do anything from overfilling tanks to completely shutting off supply.
Are there any instances of hackers seizing control of water supply via digital means?
Scarily, yes. An infamous case was in 2000 in Maroochy, Queensland, where a former contractor used a laptop and a radio transmitter to take control of 150 sewage pumping stations. Over three months he released one million litres of untreated sewage into local waterways in an act of revenge for being denied a job with the local council. Another case from 2016 involved a water authority in the US, where customers checking their water bills online could gain backdoor access to the pumps, valves and chlorine dosing. Thankfully, in that case, it appeared that the hackers weren’t actively trying to poison anyone.
As we venture towards an ever increasing “Internet of things” what do we need to be wary about when it comes to cyber-security?
A tonne! For us as consultants, we need to be fully cognisant of the risks we expose our clients to when we handle their data and when we give advice regarding digital platforms for managing their operations. We have an excellent technology team who are across these risks and advise on such projects.
What drew you to this particular subject? What do you personally find fascinating about it?
My background in environmental engineering, including hydraulic modelling, gave me a chance to contribute to this multidisciplinary problem with a team of computer scientists and systems engineers. It felt like we were working at the vanguard of knowledge in this field, with some very real applications. That’s really exciting.
Aside from water distribution systems, are there other systems at risk from cyber-attacks that we should be aware of?
Purely digital systems (like telecommunications and, to a large part, banking) are obvious targets for cyber-attacks, but physical infrastructure like water and energy are becoming more vulnerable. We call attacks on these ‘cyber-physical attacks’ – cyber-attacks with a primary aim that’s physical. As other physical systems merge with the digital (driverless cars, anyone?), we need to ensure that they’re built with security as the paramount priority. There was a massive blackout in Ukraine in the middle of winter 2015, caused by sophisticated, coordinated hackers who gained access to a control centre. Being prepared for a blackout or water shortage should already be part of our major utility companies’ business disruption plans.
So where to now? What feedback have you heard on your Master’s research?
We’ve been approached by an EU-based news service that wants to make a summary of the paper for policymakers. We’ve also had some good feedback on a video that I produced about some prior research. Next, I’d love to see what applications there are for our clients in NZ.
Tonkin + Taylor has a broad range of skills and expertise in the water, digital and data space. For more information, head to our water engineering page or contact Water Sector Director, Clint Cantrell or Water Discipline Managers, John Rix and Peter Cochrane by email.