Of all critical infrastructure, the public water system might seem the least vulnerable to a cyber attack. But that might be changing, with the increasing adoption of advanced metering infrastructure (AMI) that controls the water supply remotely, according to John McNabb, water expert and security researcher.
In a speech at Black Hat USA in Las Vegas, McNabb said because wireless water meters are data collecting, embedded devices, they are therefore vulnerable to attacks that could cause service disruption, or even enable attackers to execute malware.
“There are a lot of inter-dependencies. In many parts of the country, water departments don’t have emergency generators. There’s more attention to security for water systems,” he said.
Essentially, the Achilles heel of the smart meters is that they’re equipped with a small computer — or microcontroller — which enables a direct electronic reading of the water consumption, said McNabb.
“Electromagnetic forces detect the flow of water. You put the meter in, and it registers a total volume of water going through,” he said. “This is what records the data. It turns the water meter into a data collection device.”
Transmission methods vary, such as phone lines or cable power lines. However the most common transmission method is via radio signals, that operate at about 900 megahertz. If hackers could develop a way to “sniff” a system running at a 900 megahertz frequency, McNabb said, they would be able to take control of the system.
As such, water smart meters, like any other critical infrastructure controlled over a wireless sensor network (WSN), are fraught with many of the same vulnerabilities facing electrical smart meters and other Web-facing systems, including cyber attacks and disruption, McNabb said.