Muleshoe, Texas, may not seem a likely setting for a thrilling espionage story. But what happened there in January — a cyberattack on a public water utility, allegedly perpetrated by a Russian hacking group — was exactly the kind of warning sign that Feras Batarseh has been worried about.

“Out of the 16 critical infrastructures [defined by the Department of Homeland Security], two are water and agriculture,” Batarseh said. “Those two, although they are two of the least advanced forms of infrastructure, they are now the most attacked. At this point, we’re just covering our heads, waiting for it to happen.”

It mirrored an attack from a month earlier on a Hawaiian water system, allegedly perpetrated by Chinese hackers. Unlike other notorious attacks, like the one on the Colonial Pipeline in 2021, these were not ransomware hacks, which demand a payout before services are restored. Rather, they were allegedly perpetrated by state actors — or those affiliated with them — for the express purpose of disrupting the water supply or quality. With all due respect to Muleshoe and even Honolulu, one can see how much more pressing it is to address the threat vector for an attack on the water supply of the nation’s capital.

Batarseh and his team have been working with DC Water for the last few years on a project that won the 2022 Intelligent Water Systems Challenge. Recently, the team expanded its work across the Potomac River to collaborate with AlexRenew, a water treatment plant in Alexandria.

One aspect involved building soft sensors, essentially predictive measurements, all around the virtual layout of the plant to help support the hard sensors already in place. These provide wider visibility of data while also potentially eventually replacing some of the physical sensors, which are expensive and easily corroded by the chemicals used in water treatment. The other component the team brought was a deep learning model analysis to help better predict spikes in water flow. This allows the plant to treat more water in a more environmentally sustainable way, rather than relying as much on a harsher, chemical-based treatment.

That’s the current focus for Batarseh, associate professor in the Department of Biological Systems Engineering at Virginia Tech. Batarseh and his team of researchers are associated with the Commonwealth Cyber Initiative in the greater Washington, D.C., metro area and also work in Blacksburg, where they operate the AI & Cyber for Water & Ag lab. The lab consists of physical pumping and tubing systems, along with soil and biological systems, integrated with computer monitoring. It all adds up to a term coined at Virginia Tech, one that encompasses the fight against threats to our nation’s water supply: cyberbiosecurity.

“Cyberbiosecurity is different than cybersecurity,” Batarseh said. “Those biological components are very interconnected to the cyber components. … If you know your biological components can be compromised via your cyber backdoor, then you’ll be more worried. It means human health. It means the well-being of societies.”

The Environmental Protection Agency recently invited Batarseh to discuss solutions to the growing cyber threat. The agency actually initiated regulations for cyber resilience, but it was sued by the very water treatment plants it was aiming to protect. Why? The cost can be prohibitive and unfeasible for many. In response, two bills have been introduced in the U.S. House of Representatives to address risk and resilience requirements and help shore up rural water systems.

According to Batarseh, only the largest 1 percent of enterprises around water and biological treatment — those with more than 500 employees — have a dedicated cybersecurity expert. That’s why the small -and medium-sized utilities, like those in Muleshoe and Honolulu, were hit: They’re the low-hanging fruit. But that doesn’t mean those big systems also haven’t been targeted.

“The big ones aren’t getting hit as much, because they are, in a sense, more ready,” Batarseh said. “But they’re still witnessing adversarial activities every day.”

Feras Batarseh (center) with his team after a tour by AlexRenew's Brian Akins (far left). From left to right: Chhayly Sreng (M.S. student, ECE), MD Nazmul Kabir Sikder (Ph.D candidate, ECE), Ajay Kulkarni (Postdoctoral associate, CCI), Lauren Pincus (Ph.D student, BSE), Justice Lin (M.S. student, ECE). Photo by Noah Frank for Virginia Tech.
Feras Batarseh (at center) with his team after a tour by AlexRenew's Brian Akins (at far left). Team members are (from left) Chhayly Sreng, a master’s degree student in electrical and computer engineering; MD Nazmul Kabir Sikder, a doctoral candidate in electrical and computer engineering; Ajay Kulkarni, a postdoctoral associate at the Commonwealth Cyber Initiative; Lauren Pincus, a doctoral student in biological systems engineering; and Justice Lin, a master’s degree student in electrical and computer engineering. Photo by Noah Frank for Virginia Tech.

In April, Batarseh’s team presented its first round of results to AlexRenew. Unlike many other industries, utilities like AlexRenew are excited to share their data, as the more information the models can process, the better job they can do of predicting fluctuations from baseline expectations in advance.

“We’ve always had this collaborative nature, and the industry itself is very collaborative,” said David Roberts, chief information technology officer for AlexRenew. “What we would normally keep to ourselves as a competitive advantage, to other companies and how to compete, is given away freely in this industry.”

This will be even more true in the future, as AlexRenew has offered the ACWA lab real-time data moving forward. That’s a huge boon for Batarseh and his students, as well as for the utility.

“AI is absolutely a perfect use case for what we do,” Roberts said. “Because AI looks for patterns. It’s great for looking at patterns across large data sets, and that’s exactly what we have.”

Utilities like water treatment plants — and, for that matter, power plants — mainly rely on Supervisory Control and Data Acquisition (SCADA) systems to monitor outputs. SCADA systems are very good at telling you what’s happening within a plant right now. But they can’t anticipate a heavy rainfall, or a spike in usage, or a security breach, because they simply aren’t built to do so. One technological piece that Batarseh’s team is using employs AI to create predictive baselines to help fill that gap.

Implementing a GAN, or a generative adversarial network, creates scenarios to simulate what a hacked data set would look like, providing baselines that you normally would not have until after an attack had happened. By doing so, Batarseh’s team can allow a plant to identify a specific anomaly as it happens, so that they can deploy the right response immediately.

“These are not machine learning algorithms, meaning they are not forecasting just based on the data,” Batarseh said. “They are deep learning algorithms, meaning that they create more data and latent representations. They infer knowledge that the algorithm now has about this domain.”

In order to protect each of these interconnected systems, one has to be able to analyze and manage the threats to all of them. The hardware of the SCADA systems at AlexRenew are also all siloed, which is a necessary security measure. That way, if one part of the system gets compromised, it is quarantined, so it doesn’t bring down the entire plant. However, that also means that data is siloed, making diagnosing a problem somewhere in the system a real challenge, unless you’re looking right at it.

“If (a technician) gets a number there that’s inaccurate, he’s not going to know, sitting in a room,” Batarseh said. “Two buildings away, is where that thing is. So unless he walks away, he doesn’t know. And even if he walks there, he doesn’t know if the sensor is working correctly.”

The tools that Batarseh’s team brings help tie all that data together, allowing the system to instantly notify a technician as soon as any part of the system starts to stray from its expected baselines. Those extra layers of cybersecurity at small and mid-sized plants often aren’t in place because they’re expensive. Adding a soft censor system could help those municipalities mitigate costs while shoring up potential vulnerabilities.

Having a second set of data now from Alexandria, to go along with that from D.C., gives the ACWA Lab’s models that much more ability to learn under different environments. With each new data set comes better predictive capability, something Batarseh hopes will help their work spread to similar facilities around the country.

“ACWA Lab could be used to simulate wastewater facilities across the country,” he said, offering an open invitation for collaboration. “Whoever wants to go to Blacksburg to run a simulation, we’re happy to work with them on that.”

Feras Batarseh will be the featured speaker at Tech on Tap at Port City Brewing Company in Alexandria on Thursday, May 30, at 6 p.m. Reserve your tickets.

Share this story