9 recent cyber attacks on the water and wastewater sector

This page summarises some of the most recent cyber attacks on water and wastewater utilities that are in the public record.

The majority of organisations, of any type, prefer not to publicly report their incidents, so the reality is that more attacks are occurring than we hear about.

Tipton, Indiana

Date: April 2024
Country: United States
Consequence: Minimal disruption. Operations transitioned to manual control during the event.

The Cyber Army of Russia posted a video online showing how hackers allegedly interacted with the systems of the Tipton Wastewater Treatment Plant.

Facility staff noticed irregular activity through standard process monitoring of plant operations, and transitioned systems to manual control whilst the matter was investigated. Read more on WTHR.com.

Texas Cities: Hale Center, Muleshoe, Lockney and Abernathy

Date: January 2024
Country: United States
Consequences: Limited; water tank overflow in one case

Multiple water and wastewater plants in Texas, United States, were hit by cyber attacks in early 2024. Videos posted online by the purported hackers showed them interacting with various supervisory control and data acquisition (SCADA) systems remotely, arbitrarily adjusting settings and controls. In most cases suspicious activity was caught before material damage was caused, with operations switched to manual control whilst steps were taken to resecure systems.

In Muleshoe a water tank was caused to overflow for about 30-45 minutes before the situation was brought under control.

A common link was determined to be the vendor software used by the communities that keeps their water systems remotely accessible.

Read more:

• Summary from “Small Towns Meeting” 31 January 2024 – MyPlainview.
• Attacks were attributed to Russia-linked group 17 April 2024 – Associated Press.

Veolia North America

Date: January 2024
Country: United States
Consequence: Online bill payment system service degradation, and theft of personally identifiable information

Veolia took targeted back-end systems and servers offline as a defensive measure. Customers experienced delays using the online bill payment systems as a result of this action. Water or wastewater treatment operations did not appear to have been impacted, according to a statement by the company. Read more here.

Veolia is an international company specialising in water, waste and energy management systems. The company operates 8,500 water and wastewater facilities around the world, as well as in all 50 US states.

Southern Water

Date: January 2024
Country: United Kingdom
Consequence: Theft of personally identifiable information and corporate data

Compromised information and data included copies of identity documents such as passports and driving licenses, HR-related documents, and corporate car-leasing documents exposing personal data. Ransomware gang claimed it stole 750 GB worth of data in total. Read more here.

Southern Water provides water services to 2.5 million customers, and wastewater services to more than 4.7 million customers across Sussex, Kent, Hampshire and the Isle of Wight. Its asset portfolio includes 205 service reservoirs, 13,929km of water mains, 84 treatment works, 365 wastewater treatment works, 39,808km of sewers and 3,321 pumping stations.

Private group water scheme in County Mayo

Date: December 2023
Country: Ireland
Consequence: Water outage for 160 households over two days

An internet-connected controller used to maintain water pressure within the water system was accessed and taken offline by attackers. The devices shipped with default settings that included a simple and publicly published password. It appears the group did not have immediate access to any back-up systems, manual or otherwise. This attack exploited the same equipment and vulnerability that impacted the Municipal Water Authority of Aliquippa in the US. Read more here.

In Ireland, a private group water scheme is where the entire water supply—including the source, treatment plant and distribution system—is owned by a group of community trustees. The impacted scheme in this case is reported to service approximately 160 households in the Erris area of County Mayo.

Municipal Water Authority of Aliquippa

Date: November 2023
Country: United States
Consequences: Compromised operational technology, triggering manual override

An internet-connected controller used to maintain water pressure within the water system was accessed and taken offline by attackers. The devices shipped with default settings that included a simple and publicly published password. The authority had access to a manual backup system that enabled them to continue pumping. This attack exploited the same equipment and vulnerability that impacted the private group water scheme in County Mayo, Ireland. Read more here.

The Municipal Water Authority of Aliquippa manages a water system serving over 6,600 customers, featuring wells along the Ohio River, a treatment plant, and 9.178 million gallons of water storage across six reservoirs. The distribution network includes 82 miles of water mains, various stations, and 450 hydrants. Additionally, its sewer system serves over 5,300 customers, with a treatment plant, 52 miles of sewer mains, and six pump stations, discharging treated effluent to the Ohio River.

North Texas Municipal Water District

Date: November 2023
Country: United States
Consequences: Loss of business systems, and suspected breach of data

Phone services and business systems were impacted from around 12 November, most of which was restored towards the end of the month. A ransomware gang claimed it stole over 33,000 files containing customer data. Core water, wastewater, and solid waste services were not impacted. Read more here.

The North Texas Municipal Water District provides water, wastewater, and solid waste services to 2 million residents across 10 counties. It operates 7 water treatment plants with a 946 mega gallons per day capacity, 695 miles of transmission pipelines, and 82 wholesale delivery points. It also manages 13 wastewater treatment plants and a solid waste service with 3 transfer stations and a landfill.

Águas e Energia do Porto

Date: January 2023
Country: Portugal
Consequences: Data exfiltration and customer service constraints

Hackers stole data from Águas do Porto, and also caused disruption that impacted customer services for several days.

Passwords for Águas do Porto appear to have been stolen from Divultec, a company that provides IT services to third-parties. Read more here (translated from Portuguese).

Águas do Porto manages more than 2,000 km of water infrastructure including water mains, sewers, and storm water pipes. Águas do Porto also manages 66 km of streams and 3.4 km of seafront.

South Staffordshire PLC

Date: July 2022
Country: United Kingdom
Consequences: Theft of personally identifiable information (PII), disruption to corporate network

In an early statement from the company in August 2022, they confirmed they were experiencing disruption to their corporate IT network. In November they advised that some customer data was impacted.

The group responsible for the hack published screenshots of various systems they accessed, which included parts of the SCADA system. Samples of the screenshots and analysis are discussed on the SCADAfence website.

The incident did not affect the safe supply of water to their 1.6 million customers.

Read more here.

South Staffordshire PLC manages and controls infrastructure including water treatment facilities, distribution networks, and reservoirs. It provides drinking water and sewage services to households and businesses within the South Staffordshire and Cambridge regions of the United Kingdom.