The control systems of public drinking water systems are vulnerable to attack by malicious hackers. This has been shown through several penetration tests and the reported attack (which later was not corroborated by a DHS investigation) on an Illinois public drinking water system by foreign hackers in November, 2011, the most recent publicly known cyber attack on a drinking water utility. This talk will examine the many vectors of attack on the IT systems of a drinking water utility, their vulnerabilities, proposed defensive measures, and potential consequences of a malicious hacker attack. The control systems, including the programmable logic controllers (PLC’s) and the human machine interface (HMI), will be described. The talk will discuss the many institutional, cultural, and financial obstacles to ensuring that the national public drinking water infrastructure is adequately protected from attacks by malicious hackers. The current threat environment of the national drinking water infrastructure will be discussed, including the repeated threats by Al Qaeda to poison the US drinking water supply, along with existing programs to address those threats and finally a discussion of what more needs to be done.

John McNabb is Principal of InfraSec Labs, which researches security of critical infrastructures. He was an elected Water Commissioner for a small New England drinking water utility for 13 years. His current research focuses primarily on security of the drinking water infrastructure. He has presented papers on that subject at Defcon 18 (Cyberterrorism and the Security of the National Drinking Water Infrastructure), Defcon 19, Black Hat, and Shmoocon. John has published several papers on drinking water infrastructure issues and recently wrote a chapter on drinking water security for the book Weapons of Mass Destruction and Terrorism, 2nd Edition (McGraw-Hill, 2012).