The Gariep Dam is the largest storage reservoir in South Africa.
Taking water security to
another level
Water security doesn’t only mean availability, but also whether the multitude of
treatment plants throughout the country are at risk of being cyber hacked …
By Tunde Ogunkoya
F
ollowing on the wave of recent
cyber hacks taking place around
the globe, Tunde Ogunkoya,
consulting partner at Africa DeltaGRiC
Consulting, discusses the possibility of
utilities being cyber hacked.
I did a presentation at the
CyberXchange
Conference
last
year, which somewhat addressed
the question of utility security,
though slanted towards the oil and
gas industry. We narrowed down
how certain vulnerability in a SAP
application commonly used by that
industry — and any large utility —
could be used to siphon money and
perhaps, as in the extreme case with
22
oil and gas (O&G), fund terrorism in oil-
rich Nigeria.
While there are many ways that
a utility company (water, electricity,
or O&G) may be hacked based on
the applications that they use for
automating their processes, I must
disclaim that the water treatment
process is not within my field of
expertise, as our firm is a purely
applications security firm focusing
on SAP, Oracle PeopleSoft, and open-
source software security.
That said, cyber security has very
little to do with business processes
— <20% link to business processes. I
will approach the topic from a purely
Water Sewage & Effluent July/August 2017
application
security
perspective,
and maybe touch on the operational
technology part of security in the
utilities industry: SCADA, PLC-
Programme Logical Control, and
Distributed Control Systems.
The risk and motivation for hacking
that we see in the utilities industry is
mainly sabotage risk from an external
attack perspective, and fraud risk from
an internal attack perspective. There
could be many other places by which
a hacker can access a water treatment
technology landscape, be it networks
and/or operational technology (OT).
By simply searching for ‘water’
on Shodan (the world’s first search