Is Your Treatment Plant Secure?
A computer network security competition pits students against a miniature wastewater treatment plant in an effort to expose cybersecurity problems in the nation's infrastructure.
Its computer network under relentless attack, the wastewater-treatment plant’s systems fail, and a tank begins to overflow. Workers scramble to compensate, and tension hangs in the air.
That sounds like the plot for an action-packed movie, but it actually occurred in October — albeit on a miniaturized scale. The treatment plant was a tabletop-sized version built by California State Polytechnic University-Pomona student Joe Needleman and friends as part of a computer network security competition held in Washington, D.C. The model, one of the challenges competitors attempted to access, illustrates a real-world problem: Parts of America’s aging infrastructure, including water-treatment plants, are becoming increasingly exposed to the threat of cyberattack.
“Not a lot of people really talk about security in water plants, but there are people whose jobs every day are to secure these,” says Needleman, a senior majoring in computer science and focusing on cyber security. “They’re very important. That’s why I wanted to make this as accurate as possible. It was important to me, with the resources we had, to make something that you could plausibly say is actually going on with the network.”
Students immediately got to work at the competition trying to find back doors to the treatment plant's management programs. Needleman says some of the competitors found completely unexpected paths to breach the plant's security.
Needleman says one of his professors asked him and four other students to come up with a challenge idea for the hacking competition, which was hosted by Passcode , a cyber-focused publication of the Christian Science Monitor . Cal Poly-Pomona students and Uber security researchers designed the challenges for the event.
“I started researching areas that are not discussed much in the news but are important to our everyday lives,” he says. “One that kept coming up was water distribution.”
Part of Needleman’s inspiration came from the headlines. About the time he and his teammates started the project, the International Atomic Energy Agency admitted that a nuclear power plant had been the target of a disruptive cyberattack several years earlier.
“One of our motivations for building this was industrial systems,” he says. “We were trying to build awareness and have something that was fun at the same time.”
From there, he and his teammates started designing a model wastewater treatment plant, striving to make it as realistic as possible. The final plant — composed of several tanks, pumps and PVC piping — took a month and countless hours of work to complete. It included components to monitor sound, vibration, environmental humidity, water levels, flow rate, environmental temperature and water temperature. Then, Needleman wrote management software to maintain the plant and provide water for the simulated city.
Here's a close-up view of the miniature wastewater treatment plant Needleman and his teammates built over the course of a month. The team also wrote software to manage the plant.
“For this type of challenge, the security measures were a minimal part of the design,” he says. “We made sure that it was difficult to get into the network, but once (competitors) were into the network, they had more access to things.”
Needleman says watching the hacking competitors attack his plant was somewhat unnerving but fascinating,
“It was really interesting to see how each of the teams interacted,” he says. “Some got in through the web interface, but others found ways we didn’t think they could get into. It was a very neat experience to watch them. We tried to model all our protocols and systems after real systems, so it was interesting to see what people did with the info they had.”
Ultimately, after repeated attacks from competitors, one of the model plant’s tanks began to overflow, and Needleman’s team had to power down the plant to drain the water to safe levels.
“It was very eerie,” he says. “All of a sudden, you get to the event and nothing’s working — not because it’s broken, but because the teams are in the system redoing the settings. It shows how easily these systems are targeted.”
Needleman says he hopes to participate in similar competitions in the future, not only for the challenge but to show people the potential dangers of security attacks on often-ignored elements of modern infrastructure.
“The system may work, but you don’t really know what’s behind the system,” he says. “We’re sort of poking at it. It’s a little scary.”
Written by Brian Lovett