Drones reportedly scoped out water treatment facility before ‘significant’ recent breach

Malicious drones are believed to have paved the way for a “significant” recent incursion at a major utility’s water treatment plant, according to the third-quarter Water and Wastewater Sector information-sharing bulletin released today by the Environmental Protection Agency and the Water Information Sharing and Analysis Center (WaterISAC).

While UAVs can provide benefits to utilities such as aiding inspections, the bulletin noted that drones can also “pose significant threats” across often interdependent critical infrastructure sectors “due to their accessibility, versatility and potential for misuse” ranging from unauthorized surveillance or physical attacks to cyberattacks.

“Drones equipped with high-resolution cameras or sensors can gather detailed information on sensitive infrastructure assets,” the bulletin states. “Malicious actors could use this data to identify weak points for sabotage or other physical attacks.”

The use of drones in Russia’s war on Ukraine has demonstrated how unmanned crafts can be used to go after strategic targets, especially Ukraine’s June 1 Operation Spiderweb attack that hit 41 Russian warplanes with a fleet of 150 drones. According to Lt. Gen. Vasyl Malyuk, head of the Security Service of Ukraine, the drones carried warheads developed for the mission: “two charges of 800 grams each, with a shaped-charge high-explosive effect,” the Kyiv Post reported, enabling them “to burn through the aircraft’s fuselage and cause a powerful internal explosion.”

At domestic infrastructure sites including power facilities and water facilities storing supplies of chemicals that can be hazardous — a “growing concern,” the bulletin notes — malicious drones could “map security perimeters, monitor guard schedules or detect unprotected access points.”

The public bulletin does not name the utility hit by the previously unreported “recent incident,” which the “very large combined utility” reported to WaterISAC.

The utility “reported a significant burglary where multiple thieves broke into its water treatment plant and stole tens of thousands of dollars worth of copper and other equipment,” the bulletin states. “The utility reported that drones were spotted above the facility prior to the security breach, likely being used to facilitate the theft.”

Even off-the-shelf commercial drones can be modified to carry explosive or chemical payloads — or can damage critical infrastructure and disrupt operations by crashing into key equipment.

The bulletin gives the example of an accelerationist who allegedly attempted to hit a Nashville power substation in November with an explosive drone. The Justice Department alleges that Skyler Philippi decided to try a drone, which was intercepted by federal agents at the site of the would-be attack, after researching previous attacks on electric substations and concluding “that attacking with firearms would not be sufficient” to, in Philippi’s alleged words, “shock the system.”

Drone maker DJI announced at the beginning of this year that “in line with regulatory principles of the operator bearing final responsibility” its software would no longer stop drones from breaching no-fly zones, instead alerting operators of “enhanced warning zones.” This lack of geofencing by the world’s largest drone manufacturer “raises concerns about the increased risk to critical infrastructure from potential unauthorized drone flights,” the EPA/WaterISAC bulletin continues.

“Mitigating these threats may require robust countermeasures like anti-drone-systems, enhanced surveillance efforts, restricted airspace designations and employee training,” the bulletin says.