Cybersecurity firm OTORIO has detailed a new proof-of-concept (PoC) malware, ZionSiphon, engineered to sabotage operational technology (OT) in water treatment and desalination plants. While the malware has not been observed in active attacks, it was developed to demonstrate the real-world capabilities of sophisticated threat actors targeting critical infrastructure.
ZionSiphon is designed to directly manipulate industrial control systems (ICS), such as Programmable Logic Controllers (PLCs), which manage physical processes. According to OTORIO’s research, the malware could be used to alter chemical dosage levels, potentially contaminating the water supply or making it unsafe for consumption. Other sabotage functions include modifying water pressure and flow rates to damage pipes and equipment, or falsifying sensor readings on operator displays to hide the malicious activity.
The PoC malware is not a theoretical exercise. OTORIO based its development on an analysis of over 50 real-world OT attacks, creating a tool that mirrors techniques actively used by attackers. This research highlights a credible threat to a sector that has already faced significant attacks. In 2021, an attacker remotely accessed a Florida water treatment facility and attempted to dangerously increase sodium hydroxide levels, an attack that was only stopped by an alert operator.
The demonstration of ZionSiphon serves as a critical warning for water utilities and other critical infrastructure operators. It underscores the need for specialized OT security measures, including strong network segmentation between IT and OT environments, continuous process monitoring for anomalous behavior, and securing remote access points with tools like a VPN and multi-factor authentication.
