Water Theft and Sabotage: Exploring Vulnerabilities in the Water System
In a previous discussions, we explored the vulnerabilities within the power supply chain, revealing how the very lifeblood of modern civilization is susceptible to cyberattacks, sabotage, and physical asynchronous attacks. However, the power grid is not the only critical infrastructure at risk. Water, another vital resource, faces its own unique and concerning set of threats. Water sustains life, nourishes crops, supports industries, and maintains sanitation, but the systems responsible for its delivery and quality are increasingly vulnerable to a variety of attacks. Whether through illegal siphoning, cyberattacks, physical attacks, or environmental manipulation, the water supply chain stands as a crucial weak point in global infrastructure security.
This post will dive into the various ways the water supply chain is being targeted, drawing on real-world examples to illustrate the scale and seriousness of the issue. As with power, understanding these vulnerabilities is essential not only for government officials and industry leaders but also for the general public, who rely on water every day without a second thought.
Physical Theft: Cartels and Criminal Syndicates Target Water Supplies
One of the most pressing threats to the water supply chain comes from physical theft by organized crime syndicates. A notable example occurred in Antelope Valley, California, where drug cartels siphoned off millions of gallons of water per day for illegal marijuana cultivation.
These cartels tapped into both public water sources and private wells, often leaving local residents and legal farmers in dire straits. Water theft not only depletes valuable reserves, particularly in drought-stricken areas like California, but it can also go unnoticed for long periods, exacerbating shortages before authorities can intervene .
This type of theft doesn’t just affect the immediate community—it has ripple effects throughout the entire region. A sudden, unexplained drop in available water can lead to economic disruptions, particularly in agricultural sectors, which depend heavily on reliable water access. It also undermines public trust in water management, as people become more aware of the ways their supply can be illegally diverted.
Link to the above podcast
Illegal Tapping of Water Pipelines: A Global Problem
In Mexico, as of 2018, authorities are detecting an average of 28 illegal taps into their water pipelines every day. These illegal taps divert water from government-managed pipelines, contributing to massive losses for the country’s already struggling water infrastructure .
These operations often rely on hot tapping into underground water lines or even siphoning from rivers and reservoirs, diverting millions of gallons of water to fuel their illegal cultivation sites. In some cases, entire communities face water shortages as cartels steal from municipal supplies and private wells.
The following shows such operations in California
The theft of water not only exacerbates California's already strained water resources but also puts legal farmers and residents in jeopardy. These criminal enterprises often operate in remote areas, making it difficult for authorities to monitor or stop the illegal diversions. This practice is part of a larger trend where cartels manipulate both natural resources and weak points in infrastructure for profit, without regard for environmental or community impacts​.
Unfortunately cartels are very well armed and rarely show reluctance to use force, even when it seems unnecessary, shooting at everything from border patrol, US and Mexican citizens and even drones
Hot Tapping of Water Lines: A Dual Threat
Hot tapping is a method commonly used for legitimate purposes, such as connecting new service lines to an existing water pipeline without shutting off the flow of water. However, this technique can also be exploited for illicit activities, making it a significant vulnerability in the water supply chain. Criminals and malicious actors can use hot tapping to illegally siphon water from the main line—similar to how fuel thieves tap into oil pipelines.
What makes hot tapping even more dangerous is its potential to introduce harmful or unknown substances into the water supply. By gaining access to a main water line, a perpetrator could inject chemicals, biological agents, or other dangerous substances directly into the flow of water that eventually reaches homes and businesses. Unlike water treatment facilities, which have security measures and monitoring systems in place, the sprawling network of underground pipelines is typically unguarded and lacks real-time surveillance.
This vulnerability is particularly concerning because any contamination that occurs via a hot tap may go unnoticed until after it has reached consumers, potentially causing public health crises. Strengthening the security of water pipelines, through both physical and technological means, is essential to mitigating this dual threat of water theft and contamination.
Despite what some may think, hot tapping a water main is surprisingly easy, and special kits, such as this one, can be purchased for around $2,000. This video shows an amateur successfully performing his very first hot tap after only having watched a youtube video once.
Response times for such injection attacks from either water treatment centers or emergency services depend on the detection systems in place. Most water utilities use sensors that monitor chemical balances and other parameters at various points in the distribution network.
However, these systems are not always able to detect new contaminants immediately, particularly if they are injected downstream of the treatment plant. For example, in the case of the attempted cyberattack on the Oldsmar, Florida, water treatment facility, it was manual observation by staff that prevented a catastrophe.
Whats more is that depending on the rate of flow into a water main, it could be extremely difficult to locate the location of the tap and injection.
Cyber Threats: A New Frontier of Water Supply Vulnerabilities
Beyond the physical theft of water, cyberattacks pose another significant threat to water infrastructure. One of the most publicized incidents occurred in Oldsmar, Florida, where a hacker attempted to poison the city’s water supply by increasing levels of sodium hydroxide (lye) to dangerous levels. Fortunately, the attack was intercepted before any harm could be done, but it highlighted a reality: water treatment plants, like other forms of critical infrastructure, are increasingly connected to the internet, making them vulnerable to cyberattacks .
This incident in Florida was not an isolated case. Water utilities around the world are facing an uptick in cyberattacks, which could allow malicious actors to manipulate water quality or disrupt supply services entirely. Further, according to the EPA, around 70% of water treatment systems are not complying with even basic cyber security protocols
Many water systems are underfunded and lack robust cybersecurity protocols, making them easy targets for attackers looking to cause widespread harm. The results could be catastrophic, affecting both human health and local economies. Imagine entire cities without access to potable water for days or even weeks—a scenario that becomes more plausible as these systems remain under-protected.
Infiltration and Sabotage: Insider Threats to Water Security
In addition to external cyber and physical attacks, water supply systems are also vulnerable to insider threats. Recently, a story surfaced involving a fake doctor who attempted to infiltrate a water treatment plant under false pretenses . This case underscores the importance of vetting and security protocols for employees and contractors who have access to sensitive infrastructure. A single malicious actor on the inside could sabotage systems, contaminate water supplies, or disable vital equipment.
Insider threats can be especially dangerous because they often go unnoticed until significant damage has been done. Unlike cyberattacks or external theft, insider sabotage may occur over a prolonged period, making it difficult for authorities to detect unusual activity.
We have discussed insider threats on several occasions, but it is still one of the biggest and often most overlooked attack vector.
The Convergence of Water and Power Supply Chain Vulnerabilities
What makes the situation even more concerning is the interconnected nature of critical infrastructure systems. Water supply chains are not isolated; they depend on the energy grid to power pumps, treatment plants, and distribution networks. Similarly, the power supply chain often relies on water for cooling and other operational needs. A cyberattack or disruption in one system can have cascading effects on the other.
For example, during widespread power outages, water pumping stations may lose their ability to deliver water to homes and businesses. Conversely, water shortages can disrupt the functioning of power plants, especially those that rely on hydroelectric power or large amounts of water for cooling. In this way, vulnerabilities in both the water and power supply chains reinforce and amplify each other, creating an even more precarious situation.
Conclusion: Addressing the Threats to Water Security
As we’ve seen, the vulnerabilities in the water supply chain are numerous and varied, ranging from physical theft by criminal cartels to cyberattacks that can disrupt or poison supplies.
The challenges are daunting, but failing to protect our water supply chains could lead to dire consequences—both for our health and for the stability of our societies. Just as we are working to shore up vulnerabilities in the power grid, it is now time to give water security the attention it so desperately needs.
Training Resources:
For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.
Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists
Physical Audit Training - 2 day course on how to setup and run a physical security audit
Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming
Counter Elicitation - 2 day course on how to recognize and prevent elicitation attempts, and safegaurd your secrets.
Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.
Private Instruction - Focused learning & training based on your needs .