Cybersecurity, water systems, critical infrastructure, botnets | Homeland Security Newswire

Critical infrastructureUrban water services vulnerable to attacks using a botnet of smart commercial irrigation systems

Published 9 August 2018

Cybersecurity researchers warn of a potential distributed attack against urban water services which uses a botnet of smart irrigation systems. The researchers analyzed and found vulnerabilities in a number of commercial smart irrigation systems, which enable attackers to remotely turn watering systems on and off at will. Botnet attacks can also empty an urban water tower in an hour, and empty flood water reservoir overnight.

Ben Nassi, a researcher at Cyber@BGU, will be presenting a paper titled “Attacking Smart Irrigation Systems”  in Las Vegas at the Def Con 26 conference in the IoT Village on 11 August.

The researchers tested three of the most widely sold smart irrigation systems: GreenIQ, BlueSpray, and RainMachine smart irrigation systems (watch the video).

“By simultaneously applying a distributed attack that exploits such vulnerabilities, a botnet of 1,355 smart irrigation systems can empty an urban water tower in an hour and a botnet of 23,866 smart irrigation systems can empty flood water reservoir overnight,” Nassi says. “We have notified the companies to alert them of the security gaps so they can upgrade their smart system’s irrigation system’s firmware.”

Water production and delivery systems are part of a nation’s critical infrastructure and generally are secured to prevent attackers from infecting their systems. “However, municipalities and local government entities have adopted new green technology using IoT smart irrigation systems to replace traditional sprinkler systems, and they don’t have the same critical infrastructure security standards.”

In the study, the researchers present a new attack against urban water services which does not require infecting its physical cyber systems. Instead, the attack can be applied using a botnet of smart irrigation regulation systems at urban water services that are much easier to attack.

The researchers demonstrated how a bot running on a compromised device can (1) detect a smart irrigation system connected to its LAN in less than 15 minutes, and (2) turn on watering via each smart irrigation system using a set of session hijacking and replay attacks.

“Although the current generation of IoT devices is being used to regulate water and electricity obtained from critical infrastructures, such as the smart-grid and urban water services, they contain serious security vulnerabilities and will soon become primary targets for attackers,” says Nassi, who is also Ph.D. student of Prof. Yuval Elovici’s in BGU’s Department of Software and Information Systems Engineering and a researcher at the BGU Cyber Security Research Center. Elovici is the Center’s director as well as the director of Telekom Innovation Labs at BGU.