In July 2019, Iranian-linked threat actors penetrated the Bahrain Electricity and Water
Authority (EWA), gaining what investigators described as “command and control of
some of the systems” within the authority’s infrastructure. The intrusion
was part of a broader campaign that simultaneously targeted the Bahrain National Security
Agency, the Ministry of Interior, and the Office of the First Deputy Prime Minister.
The EWA compromise was particularly alarming because it represented industrial control
system (ICS) access to the infrastructure managing electricity generation and water
desalination for the entire kingdom.
First revealed through a Wall Street Journal investigation, the campaign bore the
hallmarks of a “test run” for disruption capabilities - a reconnaissance
and positioning operation designed to establish persistent access that could be
weaponized during a future geopolitical escalation. Bahraini citizens reported
anomalously elevated electricity and water bills during the compromise period,
though a direct causal link to the intrusion was never officially confirmed.
No fines or enforcement actions were publicly reported.
## Key Facts
- .**What:** Iranian hackers gained command and control of electricity and water systems.
- .**Who:** Bahrain EWA, National Security Agency, and Ministry of Interior.
- .**Data Exposed:** ICS control access, utility billing data, and government agency systems.
- .**Outcome:** Described as a "test run" for disruption; no public enforcement action.
## What Was Exposed
The EWA intrusion represents a category of compromise where the primary risk is not
data exfiltration but operational disruption and potential physical harm. When threat
actors gain command and control of industrial control systems managing electricity
grids and water treatment facilities, the exposure extends beyond digital assets to
the physical safety of an entire population.
- .Command and control access to EWA’s operational systems, potentially
including SCADA/DCS systems controlling electricity generation, transmission,
and distribution across Bahrain
- .Potential access to water desalination plant control systems - Bahrain
depends almost entirely on desalinated water, making this access an existential
threat to public health
- .Compromise of the Bahrain National Security Agency’s systems, potentially
exposing intelligence operations, surveillance capabilities, and classified
communications
- .Penetration of Ministry of Interior systems, which manage law enforcement,
civil defense, and internal security operations, including personal data of
citizens interacting with government services
- .Access to the Office of the First Deputy Prime Minister, a senior government
office handling policy coordination and potentially sensitive diplomatic
communications
- .Customer billing data and utility consumption records for Bahraini residents,
evidenced by the anomalous billing irregularities reported during the compromise
period
- .Network architecture and access credentials for multiple government agencies,
enabling potential future re-entry even after the initial compromise was
addressed
The strategic significance of this intrusion cannot be overstated. Bahrain is a small
island nation of approximately 1.5 million people, heavily dependent on desalinated
water and imported electricity interconnections with Saudi Arabia. The EWA manages
the entirety of this critical infrastructure. An adversary with command and control
of EWA systems could, in theory, disrupt electricity supply to the entire country,
interfere with water desalination processes (potentially affecting water quality or
availability), or manipulate billing systems to create economic disruption and
public distrust in government services.
The characterization of this intrusion as a “test run” aligns with
well-documented patterns in state-sponsored cyber operations. Russia’s
Sandworm group conducted similar reconnaissance operations against Ukrainian power
infrastructure in 2014-2015 before executing the first confirmed cyberattack
to cause a power outage in December 2015. Iran appears to have adopted a similar
playbook in the Gulf: establishing persistent access during periods of relative
stability that can be activated during crisis escalation. The Dustman wiper attack
against BAPCO five months later, in December 2019, demonstrated that Iran was
willing to operationalize its access to Bahraini critical infrastructure.
The anomalous billing irregularities reported by Bahraini citizens during this period
add a tangible dimension to what might otherwise seem like an abstract intelligence
operation. If the attackers manipulated billing data - whether intentionally
as a test of their access capabilities or inadvertently as a side effect of their
activity within EWA systems - the impact was felt directly by citizens in
their household budgets. This illustrates how ICS compromises can have cascading
effects that extend far beyond the technical systems initially targeted.
The multi-agency scope of the campaign - EWA, NSA, Ministry of Interior, and
the Office of the First Deputy PM - suggests either a sophisticated operation
that exploited shared infrastructure (common authentication systems, shared network
segments, or centralized government IT services) or parallel intrusion operations
against multiple targets. Either scenario reveals fundamental weaknesses in Bahrain’s
government cybersecurity posture. If a single vulnerability provided access to
multiple agencies, it indicates dangerous centralization without adequate security.
If each agency was independently compromised, it indicates a systemic lack of
baseline security controls across the government.
The fact that this campaign was first revealed not by Bahraini authorities but by
a Wall Street Journal investigation raises serious questions about transparency
and accountability. Citizens whose personal data may have been exposed through
the Ministry of Interior compromise, or whose utility records were accessed through
EWA, were not notified through official channels. The government’s silence
on the matter - while understandable from a national security perspective -
represents a tension between security classification and the data protection rights
of affected individuals.
## Regulatory Analysis
Bahrain’s PDPL (Law No. 30 of 2018) had been enacted but was in its early
enforcement period when the EWA intrusion occurred in July 2019. The law’s
application to a state-sponsored intrusion affecting multiple government agencies
and a critical infrastructure operator tests the boundaries of the regulatory
framework in several significant ways.
Article 4 of the PDPL defines its scope, applying to the processing of personal data
by both public and private sector entities. EWA, as a government authority, processes
personal data of every electricity and water customer in Bahrain - names,
addresses, national identification (CPR) numbers, consumption patterns, and payment
information. The Ministry of Interior processes even more sensitive data: law
enforcement records, visa and immigration data, civil registry information, and
potentially surveillance data. Under Article 4, both entities are data controllers
subject to the full obligations of the PDPL, including security requirements.
Article 8 requires data controllers to implement “appropriate technical and
organizational measures” to protect personal data. The successful penetration
of four government agencies in a coordinated campaign suggests that the measures in
place were inadequate. For EWA specifically, the requirement is heightened by the
sensitivity of the data and the criticality of the infrastructure. ICS environments
controlling electricity and water supply demand security measures that go beyond
standard IT protections: air-gapped or data-diode-protected OT networks, continuous
monitoring of industrial protocols, and specialized ICS security tools. The achievement
of command and control over EWA systems indicates these measures were either absent
or ineffective.
Article 12 establishes breach notification obligations. The multi-agency compromise
affected personal data across multiple government entities, triggering notification
requirements for each controller. The fact that the intrusion was revealed by
international media rather than official government notifications suggests that
Article 12 obligations were not fulfilled. While national security considerations
may provide justification for limiting public disclosure, the PDPL does not contain
a blanket national security exemption for breach notification to the Personal Data
Protection Authority itself. The Authority should have been informed even if public
notification was restricted.
Article 6 addresses the lawfulness of data processing and, by extension, the
obligation to ensure that data is processed only in accordance with specified purposes.
Iranian threat actors accessing citizen utility data, law enforcement records, and
government communications constitutes unauthorized processing that the data controllers
failed to prevent. Under a strict reading of Article 6, each instance of unauthorized
access to personal data by the threat actors represents a separate processing violation
attributable to the controller’s failure to maintain adequate security.
The regulatory gap exposed by this incident is structural. The PDPL’s maximum
fine of BD 20,000 was never designed to address nation-state attacks on critical
infrastructure. Bahrain lacks a comprehensive critical infrastructure protection
law comparable to the EU’s NIS Directive or the UAE’s Critical
Infrastructure and Coastal Protection Authority mandate. The EWA intrusion falls
into a regulatory void between the PDPL (focused on personal data) and the absence
of a dedicated ICS security regulatory framework. This gap leaves critical
infrastructure operators without clear legal obligations for OT security beyond
the general data protection requirements of the PDPL.
## What Should Have Been Done
Protecting critical infrastructure from state-sponsored intrusion requires a defense-in-depth
approach that assumes the perimeter will eventually be breached and focuses on limiting
the attacker’s ability to escalate privileges, move laterally, and achieve
objectives within the network. For EWA specifically, the following measures should
have been in place.
The most critical architectural requirement for a utility managing both IT and OT
environments is rigorous network segmentation enforced by the Purdue Model for
industrial network architecture. OT networks controlling electricity generation,
transmission, and water desalination should have been physically or logically
separated from IT networks using unidirectional security gateways (data diodes)
that allow monitoring data to flow from OT to IT but prevent any traffic from
flowing in the reverse direction. This architecture ensures that even a complete
compromise of IT systems cannot provide command and control of OT environments.
The reported achievement of “command and control of some of the systems”
suggests either inadequate IT/OT separation or the existence of bridging connections
that violated segmentation policies.
EWA should have deployed an ICS-specific security monitoring solution capable of
deep packet inspection of industrial protocols (Modbus, DNP3, IEC 61850, IEC 60870-5-104)
used in electricity grid and water treatment SCADA systems. Solutions like Dragos,
Claroty, or Nozomi Networks can establish baseline models of normal ICS communication
patterns and alert on anomalous commands, unauthorized protocol usage, or unexpected
connections to control system components. These tools would have detected the
initial stages of the attacker’s interaction with OT systems, well before
command and control was established.
The multi-agency scope of the compromise suggests that Bahrain’s government
agencies may have shared common infrastructure components - such as centralized
authentication services, shared VPN platforms, or common email systems - that
provided lateral movement paths between agencies. A zero-trust architecture approach
would have required each agency to maintain independent identity providers, enforce
continuous authentication verification, and treat all network traffic (including
intra-government traffic) as potentially hostile. Micro-segmentation at the
application level, enforced by next-generation firewalls or software-defined
perimeters, would have contained the blast radius of any single agency’s
compromise.
Privileged access management is particularly critical in government environments
where administrative accounts often have broad access across multiple systems.
EWA and the other compromised agencies should have implemented a privileged access
management (PAM) solution with just-in-time access provisioning, session recording,
and mandatory multi-factor authentication for all administrative actions. Service
accounts should have been inventoried, their permissions minimized to the specific
functions required, and their credentials rotated automatically on a regular schedule.
The use of managed service accounts (gMSAs in Active Directory environments) would
have eliminated the risk of credential theft for service identities.
Threat intelligence integration should have been a cornerstone of EWA’s
security operations. Iran’s cyber operations against Gulf states are extensively
documented by commercial threat intelligence providers (Mandiant, CrowdStrike,
Recorded Future) and government advisory bodies (US-CERT, Saudi NCA, UAE aeCERT).
The tactics, techniques, and procedures (TTPs) used in the EWA intrusion would have
aligned with known Iranian APT patterns, and proactive threat hunting based on
updated indicators of compromise (IOCs) and behavioral signatures should have
identified the intrusion during its early stages. EWA’s security team should
have been conducting regular threat hunts specifically focused on Iranian APT
activity in the Gulf energy sector.
Bahrain should establish a national critical infrastructure protection framework
with mandatory security standards for operators of essential services. This
framework should include: mandatory security certifications (IEC 62443 for
industrial control systems, ISO 27001 for information security management),
regular penetration testing by accredited third-party assessors, mandatory
incident reporting to a national CERT with defined timelines, and regular
cross-agency exercises simulating coordinated state-sponsored intrusion scenarios.
The absence of such a framework at the time of the EWA compromise left critical
infrastructure security standards to the discretion of individual agencies, resulting
in inconsistent protections across the government.
Finally, Bahrain should invest in a national Security Operations Center (SOC)
with visibility across all government agencies and critical infrastructure operators.
A centralized SOC with federated log collection would have the ability to correlate
suspicious activity across EWA, NSA, MoI, and the PM’s office simultaneously,
identifying the coordinated nature of the campaign far earlier than any individual
agency could in isolation. Countries like the UAE (with the National Electronic
Security Authority) and Saudi Arabia (with the NCA) have invested heavily in
centralized cybersecurity monitoring capabilities. Bahrain’s smaller scale
actually makes this approach more feasible and more urgently needed.
The Iranian intrusion into Bahrain’s EWA represents the most dangerous
category of cyber operation: pre-positioning for potential physical disruption
of essential services. When adversaries achieve command and control of systems
managing electricity and water for an entire nation, the consequences of
escalation extend beyond data to human safety. Bahrain’s PDPL was not
designed for this threat landscape, and the absence of a dedicated critical
infrastructure protection framework leaves the kingdom’s most essential
systems governed by data protection rules inadequate for the threat they face.