Flaws in IoT-connected water systems could expose utilities to attack

Posted 26 September 2018

IrrigationInternet-connected irrigation systems could be hijacked by threat actors and used to drain a city’s water reserve or force utilities to shut off the water supply, a new study has found. 

Smart irrigation systems use the internet to communicate with sensors and weather forecast services to improve water efficiency. They are increasingly replacing traditional models as cities around the world focus on using the internet of things (IoT) to save money and water.

Academics from Israel’s Ben-Gurion University of the Negev analysed three commercial smart irrigation systems – GreenIQ, BlueSpray and RainMachine – and discovered security flaws that could allow an attacker to remotely turn the watering systems on and off. 

The researchers said using a botnet – a large network of internet-connected devices controlled without the owner’s knowledge – an attacker could control an irrigation system in order to trigger a mass consumption of water. 

While water utilities are well protected against attacks, researcher Ben Nassi said it would be easier to target IoT-connected irrigation systems as they are on the consumer side, in smart homes and smart cities.

“Municipalities and local government entities have adopted new green technology using IoT smart irrigation systems to replace traditional sprinkler systems, and they don’t have the same critical infrastructure security standards,” he said.

“A botnet of 1355 smart irrigation systems can empty an urban water tower in an hour and a botnet of 23,866 smart irrigation systems can empty a flood water reservoir overnight.”

In their paper, which was presented at the DEF CON cyber security conference in Las Vegas last month, the researchers said there was little a water utility could do if it detected an attack. 

“The only thing that an urban watering service can do when such an attack is detected is stop water distribution,” they wrote. 

“While this solution prevents the attacker from wasting any more water, it also prevents people from obtaining water, which is the aim of the attacker.”

The researchers passed on their findings to the companies included in the study, but said all smart irrigation suppliers must enhance their security.

They said similar attacks could be used against other critical infrastructure that uses IoT-connected systems, like the energy sector.

Related article:

What’s the future of irrigation piping?