Water Treatment Under Siege: How a Single Modbus Command Can Poison Your City’s Water Supply + Video

Listen to this Post

Featured Image

Introduction

Industrial control systems (ICS) that manage our most critical infrastructure were built for reliability and uptime, not cybersecurity. The Modbus TCP protocol, a cornerstone of water treatment automation for decades, transmits all commands in cleartext with no built-in authentication, meaning any device that gains network access can read or write control registers as if it were the legitimate operator. Attackers exploiting this foundational design flaw can falsify critical sensor readings—such as chlorine residual levels—triggering automated chemical dosing systems to dangerously under- or over-chlorinate public drinking water, all without ever touching a single valve or pump.

Learning Objectives

  • Understand how unauthenticated Modbus TCP register writes enable false data injection (FDI) attacks against water treatment chlorine analyzers and distribution systems.
  • Build a realistic OT security lab featuring a simulated CL17 chlorine analyzer, Modbus TCP server, and custom attack tool.
  • Apply defense-in-depth mitigations including network segmentation, industrial firewalls, and protocol-aware anomaly detection to protect critical water infrastructure.

You Should Know

  1. The Anatomy of a False Data Injection Attack on a CL17 Chlorine Analyzer

The attack chain begins with network access to the control system zone. Joshua Brunner’s Hydrophobic tool demonstrates precisely how an adversary with even minimal access can manipulate water quality data. The lab environment consists of three coordinated components: a CL17 chlorine analyzer simulator (cl17.py) that writes realistic sensor values to a Modbus holding register, a Modbus TCP server (MBhydrophobic.py) that maintains the register map, and an attack script (hydrophobic.py) that overwrites the chlorine residual register with attacker-chosen values.

The critical vulnerability lies in the Modbus protocol’s complete lack of authentication. When the attacker runs hydrophobic.py, they supply three inputs: target IP address, register address (typically 0 for chlorine reading), and a falsified value. A value of 0 tells the operator “no chlorine”—prompting a frantic increase in chemical feed. A value of 120 (representing 12.0 mg/L, well above the EPA safety limit of 4.0 mg/L) appears as a dangerous over-chlorination condition, causing the operator to shut down disinfection entirely. Both scenarios can lead to public health disasters.

Step‑by‑Step Lab Setup (Linux/macOS):

 Install required dependencies
pip install pymodbus

Clone the Hydrophobic repository
git clone https://github.com/Papaperun/Hydrophobic.git
cd Hydrophobic

Terminal 1: Start Modbus TCP server (port 502 default)
python3 MBhydrophobic.py

Terminal 2: Start CL17 chlorine analyzer simulator
python3 cl17.py

Terminal 3: Launch HMI display
python3 hmi.py

Terminal 4: Execute attack (use local lab IP)
python3 hydrophobic.py
 Prompts: target IP (127.0.0.1), register (0), value (120 for falsified high)

Windows (PowerShell):

 Run batch launcher
start_lab.bat

Open separate terminal for attack
python hydrophobic.py

After injection, the HMI canvas and sparkline update in real time, showing the falsified reading. Every attack run is logged to `hydrophobic_log.json` for forensic analysis.

  1. Chlorine-Ammonia Dosing Cascade: From One False Register to System-Wide Degradation

In water systems that use chloramine disinfection (common in many municipalities), chlorine reacts with ammonia to form monochloramine, the active disinfectant. This chemistry has a sensitive balance: the optimal chlorine-to-ammonia weight ratio is approximately 5:1. When an attacker injects a false low chlorine residual reading, the operator naturally increases the chlorine feed. But because ammonia is present, this triggers a destructive cascade.

Excess ammonia reacts with the newly added chlorine, producing additional chloramines and driving the residual chlorine measurement even lower. The operator, seeing persistently low readings, continues increasing the chlorine dose. Eventually, the system may transition into “breakpoint chlorination” where the chlorine demand exceeds the ammonia present—but along the way, water quality degrades significantly. The result: nitrification in distribution pipes, taste and odor complaints, and reduced bacterial control reaching consumers’ taps.

From a defensive perspective, this cascade demonstrates why single-point sensor falsification is so dangerous. The attacker doesn’t need to touch the chemical pumps. They don’t need credentials. They simply need to reach the Modbus TCP port (502) on the control network. In real-world deployments, ICS networks are increasingly connected to IT systems and remote monitoring, expanding the attack surface dramatically.

  1. Real-World Precedents: FrostyGoop and the Weaponization of Modbus TCP

The Hydrophobic lab is not merely theoretical. In January 2024, adversaries deployed FrostyGoop, the first ICS malware to successfully abuse Modbus TCP for real-world control system manipulation. Targeting a municipal district energy company in Ukraine, the malware injected unauthorized Modbus commands to ENCO controllers responsible for heating controls. The result: a two-day service disruption affecting over 600 apartment buildings during sub-zero winter temperatures.

Access was achieved through an exposed internet-facing router and poorly segmented networks. The adversaries established a Layer 2 tunnel and sent malicious Modbus commands directly from their own environment, never placing malware on the victim’s assets—thus evading host-based detection entirely. FrostyGoop was a compiled Windows binary that antivirus vendors initially failed to flag as malicious.

For the water sector specifically, CISA has repeatedly warned that attackers are exploiting exposed OT/ICS systems using “unsophisticated methods”. In April 2026, researchers at Darktrace detailed a Windows-based OT weapon specifically designed to sabotage Israeli water treatment and desalination infrastructure by manipulating chlorine dosing registers. The pattern is clear: Modbus TCP’s lack of authentication is not a bug—it’s a feature, and it’s being actively exploited.

  1. Defensive Measures: IEC 62443, NIST SP 800-82, and Zero Trust for OT

Securing Modbus TCP requires abandoning the assumption that OT networks are air-gapped and safe. Under IEC 62443, Modbus alone cannot meet even the basic Security Level 2 (SL2) because it provides no encryption or authentication. The standard mandates a defense-in-depth approach.

Network Protection – Industrial Firewalls + Isolation:

Segment the control network from IT and internet access using industrial firewalls that enforce strict IP and port allow rules. Apply MAC address filtering or switch port security so that only authorized devices (by IP and MAC) can communicate. For remote access, mandate VPN/IPsec tunnels with multi-factor authentication.

Protocol-Level Security – Modbus over TLS (Modbus Secure):

Where devices support it, run Modbus on TLS port 802 with digital certificates. This provides end-to-end encryption and device authentication, aligning with IEC 62443 SL2 requirements. The challenge: many legacy PLCs and analyzers lack firmware support, requiring careful upgrade planning or compensating controls.

Active Monitoring and Anomaly Detection:

Deploy protocol-aware intrusion detection systems that understand Modbus, DNP3, and OPC-UA. Establish baselines for normal communication patterns—which registers are written, at what frequency, from which source IPs. Any write to a chlorine residual register from an unexpected source or at an unusual time should trigger an immediate alert. NIST SP 800-82 Revision 3 emphasizes that flat networks remain exploitable; operators must isolate control zones, enforce least-privilege routing, and maintain time-synchronized logging for incident reconstruction.

Practical Hardening Commands (Industrial Firewall / Linux Host):

 Restrict Modbus TCP access to specific trusted IPs using iptables
sudo iptables -A INPUT -p tcp --dport 502 -s 192.168.1.100 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 502 -j DROP

Monitor Modbus traffic on port 502 (requires tcpdump)
sudo tcpdump -i eth0 -nn -s0 port 502 -v

Use nmap to detect exposed Modbus devices (authorized testing only)
nmap -p 502 --script modbus-discover <target-ip-range>
  1. The Operator’s Perspective: Why 22 Years of Experience Cannot Replace Secure Protocol Design

Joshua Brunner, the creator of Hydrophobic, brings a rare combination of perspectives: a Class A Licensed Water Treatment Operator with 22 years of municipal infrastructure experience who also writes Python code. This dual expertise reveals a critical gap in OT security: operators are trained to trust their instrumentation. When a chlorine residual reading drops unexpectedly, the correct response is to increase chemical feed. The system design provides no indication that the reading has been falsified at the protocol level.

Brunner’s operational insight is stark: “In a real chlorine-ammonia system, that single falsified reading can trigger a dosing cascade that degrades water quality across an entire distribution system. That’s not theory. That’s 22 years of operational experience talking.” The lab he built demonstrates that no credentials, no physical access, and a single command are sufficient to initiate this cascade.

From a defensive engineering standpoint, this means that safety-instrumented systems and operator workstations must never blindly trust field sensor data without cross-validation. Where possible, deploy redundant sensors communicating over diverse paths. Implement engineering checks: a chlorine residual reading of zero should trigger a sensor health check before initiating chemical feed changes. And critically, audit all Modbus write transactions—logging which IP wrote which value to which register at what timestamp—to enable forensic reconstruction of an attack.

What Undercode Say

  • Key Takeaway 1: The Modbus TCP protocol’s lack of authentication is a deliberate design choice from an era of isolated networks, but it has become the single largest vulnerability in water treatment ICS security. Attackers need only network access—no credentials, no exploit—to poison public drinking water supplies.
  • Key Takeaway 2: Practical defense requires abandoning perimeter-only security for a defense-in-depth approach combining network segmentation, protocol-aware monitoring, and where possible, migration to Modbus over TLS. The Hydrophobic lab provides a safe, accessible environment for operators and defenders to understand and mitigate this threat.

Expected Output

The reader will be able to (1) explain how unauthenticated Modbus TCP writes bypass all credential-based access controls, (2) build and execute a false data injection attack against a simulated chlorine analyzer within an isolated lab environment, and (3) implement at least three concrete defensive measures (segmentation, industrial firewall rules, protocol anomaly detection) to protect real water treatment infrastructure.

Prediction

Over the next 24 to 36 months, the water sector will see a wave of state-affiliated and hacktivist attacks exploiting unauthenticated Modbus TCP, mirroring the FrostyGoop pattern but targeted at chlorine disinfection systems. These attacks will succeed not because of sophisticated zero-days, but because thousands of water utilities continue to operate flat, unmonitored OT networks with remote access exposed. Regulatory pressure—via CISA directives and state-level cybersecurity mandates—will force accelerated adoption of NIST SP 800-82 controls, but the transition will be painful. Expect at least one major U.S. or European water utility to experience a verified false data injection attack with public health consequences before 2028, catalyzing long-overdue investment in protocol-level security and operator training.

▶️ Related Video (78% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Joshua Brunner – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky