The first notable incident in the water sector took place in 1994, when a hacker using

a dial-up modem gained access to the computer network of the Salt River Project in
Arizona. The intrusion involved at least a 5-hour session where the hacker had access
to water and power monitoring data. Τhe perpetrator was a hacker who believed he
had the right to pursue his intellectual freedom through his hacking activities.
It was another 6 years before a confirmed incident clearly involving malicious intent
occurred. It is known today as the Maroochy attack, named after the area in
Queensland, Australia where it occurred. In the spring of 2000, a former employee of
an Australian organization that develops manufacturing software applied for a job
with the local government, but was rejected. Over a 2-month period, this individual
reportedly used a radio transmitter on as many as 46 occasions to remotely break
into the controls of a treatment system. He altered electronic data for particular
pumping stations and caused malfunctions in their operations, releasing about
800.000 Liters of raw sewage into nearby rivers and parks.
Often however there is no malicious intent behind some failures. In December 2005
for example, the Taum Sauk Water Storage Dam, approximately 100 miles south of
St. Louis, Missouri, suffered a catastrophic failure, releasing a billion gallons of water.
According to the dam’s operator, the incident may have occurred because gauges at
the dam read differently than the gauges at the dam’s remote monitoring station.
This was followed by two incidents that involved unauthorized access. In 2006, a
hacker connecting from outside the United States was reported to have intruded
into the network of a water plant in Harrisburg, Pennsylvania. The attack involved
the installation of malware that could, but didn’t affect the plant’s operations.
The next year, a former electrical supervisor of a small canal system in California was
sentenced to 10 years in prison for having installed software on a SCADA system,
causing water to be diverted from the Sacramento River. He was reported to have
carried out the attack on the day he was dismissed after 17 years of employment.
The 2011 failure of a water plant in Springfield, Illinois was widely reported as the
first foreign cyberattack on a public utility in the United States. Later however it was
shown to be a normal failure of a pump that had malfunctioned several times in the
past. Suspicions had been raised because of a user who had connected to the
network from a Russian IP address. After investigation, the user proved to be a
contractor who had accessed the network remotely, while in Russia on business.
Unaware at the time that it was only an accident, a 22-year-old hacker called pr0f
was furious that US officials were playing down the incident. Determined to show
that such an attack was potentially catastrophic, he began by looking for Siemens
Simatic controllers on the Internet and found one used by a water treatment facility
in South Houston, Texas. In less than 10 minutes he had connected to it using the
default 3-digit password that was publicly available in the device’s manual and had
gained access to the water plant’s network. He did not cause any damage but took
some screenshots and posted one online to prove the intrusion.