In July 2019, Iranian-linked threat actors penetrated the Bahrain Electricity and Water Authority (EWA), gaining what investigators described as “command and control of some of the systems” within the authority’s infrastructure. The intrusion was part of a broader campaign that simultaneously targeted the Bahrain National Security Agency, the Ministry of Interior, and the Office of the First Deputy Prime Minister.
Key Facts
- WhatIranian hackers gained command and control of electricity and water systems.
- WhoBahrain EWA, National Security Agency, and Ministry of Interior.
- Data ExposedICS control access, utility billing data, and government agency systems.
- OutcomeDescribed as a "test run" for disruption; no public enforcement action.
What Was Exposed
The EWA intrusion represents a category of compromise where the primary risk is not data exfiltration but operational disruption and potential physical harm. When threat actors gain command and control of industrial control systems managing electricity grids and water treatment facilities, the exposure extends beyond digital assets to the physical safety of an entire population.
- Command and control access to EWA’s operational systems, potentially including SCADA/DCS systems controlling electricity generation, transmission, and distribution across Bahrain
- Potential access to water desalination plant control systems - Bahrain depends almost entirely on desalinated water, making this access an existential threat to public health
- Compromise of the Bahrain National Security Agency’s systems, potentially exposing intelligence operations, surveillance capabilities, and classified communications
- Penetration of Ministry of Interior systems, which manage law enforcement, civil defense, and internal security operations, including personal data of citizens interacting with government services
- Access to the Office of the First Deputy Prime Minister, a senior government office handling policy coordination and potentially sensitive diplomatic communications
- Customer billing data and utility consumption records for Bahraini residents, evidenced by the anomalous billing irregularities reported during the compromise period
- Network architecture and access credentials for multiple government agencies, enabling potential future re-entry even after the initial compromise was addressed
The strategic significance of this intrusion cannot be overstated. Bahrain is a small island nation of approximately 1.5 million people, heavily dependent on desalinated water and imported electricity interconnections with Saudi Arabia. The EWA manages the entirety of this critical infrastructure.
An adversary with command and control of EWA systems could, in theory, disrupt electricity supply to the entire country, interfere with water desalination processes (potentially affecting water quality or availability), or manipulate billing systems to create economic disruption and public distrust in government services.
The characterization of this intrusion as a “test run” aligns with well-documented patterns in state-sponsored cyber operations. Russia’s Sandworm group conducted similar reconnaissance operations against Ukrainian power infrastructure in 2014-2015 before executing the first confirmed cyberattack to cause a power outage in December 2015. Iran appears to have adopted a similar playbook in the Gulf: establishing persistent access during periods of relative stability that can be activated during crisis escalation.
The Dustman wiper attack against BAPCO five months later, in December 2019, demonstrated that Iran was willing to operationalize its access to Bahraini critical infrastructure.
The anomalous billing irregularities reported by Bahraini citizens during this period add a tangible dimension to what might otherwise seem like an abstract intelligence operation. If the attackers manipulated billing data - whether intentionally as a test of their access capabilities or inadvertently as a side effect of their activity within EWA systems - the impact was felt directly by citizens in their household budgets. This illustrates how ICS compromises can have cascading effects that extend far beyond the technical systems initially targeted.
The multi-agency scope of the campaign - EWA, NSA, Ministry of Interior, and the Office of the First Deputy PM - suggests either a sophisticated operation that exploited shared infrastructure (common authentication systems, shared network segments, or centralized government IT services) or parallel intrusion operations against multiple targets. Either scenario reveals fundamental weaknesses in Bahrain’s government cybersecurity posture. If a single vulnerability provided access to multiple agencies, it indicates dangerous centralization without adequate security.
If each agency was independently compromised, it indicates a systemic lack of baseline security controls across the government.
The fact that this campaign was first revealed not by Bahraini authorities but by a Wall Street Journal investigation raises serious questions about transparency and accountability. Citizens whose personal data may have been exposed through the Ministry of Interior compromise, or whose utility records were accessed through EWA, were not notified through official channels. The government’s silence on the matter - while understandable from a national security perspective - represents a tension between security classification and the data protection rights of affected individuals.
Regulatory Analysis
Bahrain’s PDPL (Law No. 30 of 2018) had been enacted but was in its early enforcement period when the EWA intrusion occurred in July 2019. The law’s application to a state-sponsored intrusion affecting multiple government agencies and a critical infrastructure operator tests the boundaries of the regulatory framework in several significant ways.
Article 4 of the PDPL defines its scope, applying to the processing of personal data by both public and private sector entities. EWA, as a government authority, processes personal data of every electricity and water customer in Bahrain - names, addresses, national identification (CPR) numbers, consumption patterns, and payment information. The Ministry of Interior processes even more sensitive data: law enforcement records, visa and immigration data, civil registry information, and potentially surveillance data.
Under Article 4, both entities are data controllers subject to the full obligations of the PDPL, including security requirements.
Article 8 requires data controllers to implement “appropriate technical and organizational measures” to protect personal data. The successful penetration of four government agencies in a coordinated campaign suggests that the measures in place were inadequate. For EWA specifically, the requirement is heightened by the sensitivity of the data and the criticality of the infrastructure.
ICS environments controlling electricity and water supply demand security measures that go beyond standard IT protections: air-gapped or data-diode-protected OT networks, continuous monitoring of industrial protocols, and specialized ICS security tools. The achievement of command and control over EWA systems indicates these measures were either absent or ineffective.
Article 12 establishes breach notification obligations. The multi-agency compromise affected personal data across multiple government entities, triggering notification requirements for each controller. The fact that the intrusion was revealed by international media rather than official government notifications suggests that Article 12 obligations were not fulfilled.
While national security considerations may provide justification for limiting public disclosure, the PDPL does not contain a blanket national security exemption for breach notification to the Personal Data Protection Authority itself. The Authority should have been informed even if public notification was restricted.
Article 6 addresses the lawfulness of data processing and, by extension, the obligation to ensure that data is processed only in accordance with specified purposes.
Iranian threat actors accessing citizen utility data, law enforcement records, and government communications constitutes unauthorized processing that the data controllers failed to prevent. Under a strict reading of Article 6, each instance of unauthorized access to personal data by the threat actors represents a separate processing violation attributable to the controller’s failure to maintain adequate security.
The regulatory gap exposed by this incident is structural. The PDPL’s maximum fine of BD 20,000 was never designed to address nation-state attacks on critical infrastructure. Bahrain lacks a comprehensive critical infrastructure protection law comparable to the EU’s NIS Directive or the UAE’s Critical Infrastructure and Coastal Protection Authority mandate. The EWA intrusion falls into a regulatory void between the PDPL (focused on personal data) and the absence of a dedicated ICS security regulatory framework.
This gap leaves critical infrastructure operators without clear legal obligations for OT security beyond the general data protection requirements of the PDPL.
What Should Have Been Done
Protecting critical infrastructure from state-sponsored intrusion requires a defense-in-depth approach that assumes the perimeter will eventually be breached and focuses on limiting the attacker’s ability to escalate privileges, move laterally, and achieve objectives within the network. For EWA specifically, the following measures should have been in place.
The most critical architectural requirement for a utility managing both IT and OT environments is rigorous network segmentation enforced by the Purdue Model for industrial network architecture. OT networks controlling electricity generation, transmission, and water desalination should have been physically or logically separated from IT networks using unidirectional security gateways (data diodes) that allow monitoring data to flow from OT to IT but prevent any traffic from flowing in the reverse direction.
This architecture ensures that even a complete compromise of IT systems cannot provide command and control of OT environments.
The reported achievement of “command and control of some of the systems”
suggests either inadequate IT/OT separation or the existence of bridging connections that violated segmentation policies.
EWA should have deployed an ICS-specific security monitoring solution capable of deep packet inspection of industrial protocols (Modbus, DNP3, IEC 61850, IEC 60870-5-104) used in electricity grid and water treatment SCADA systems. Solutions like Dragos, Claroty, or Nozomi Networks can establish baseline models of normal ICS communication patterns and alert on anomalous commands, unauthorized protocol usage, or unexpected connections to control system components.
These tools would have detected the initial stages of the attacker’s interaction with OT systems, well before command and control was established.
The multi-agency scope of the compromise suggests that Bahrain’s government agencies may have shared common infrastructure components - such as centralized authentication services, shared VPN platforms, or common email systems - that provided lateral movement paths between agencies. A zero-trust architecture approach would have required each agency to maintain independent identity providers, enforce continuous authentication verification, and treat all network traffic (including intra-government traffic) as potentially hostile.
Micro-segmentation at the application level, enforced by next-generation firewalls or software-defined perimeters, would have contained the blast radius of any single agency’s compromise.
Privileged access management is particularly critical in government environments where administrative accounts often have broad access across multiple systems.
EWA and the other compromised agencies should have implemented a privileged access management (PAM) solution with just-in-time access provisioning, session recording, and mandatory multi-factor authentication for all administrative actions. Service accounts should have been inventoried, their permissions minimized to the specific functions required, and their credentials rotated automatically on a regular schedule.
The use of managed service accounts (gMSAs in Active Directory environments) would have eliminated the risk of credential theft for service identities.
Threat intelligence integration should have been a cornerstone of EWA’s security operations. Iran’s cyber operations against Gulf states are extensively documented by commercial threat intelligence providers (Mandiant, CrowdStrike, Recorded Future) and government advisory bodies (US-CERT, Saudi NCA, UAE aeCERT).
The tactics, techniques, and procedures (TTPs) used in the EWA intrusion would have aligned with known Iranian APT patterns, and proactive threat hunting based on updated indicators of compromise (IOCs) and behavioral signatures should have identified the intrusion during its early stages. EWA’s security team should have been conducting regular threat hunts specifically focused on Iranian APT activity in the Gulf energy sector.
Bahrain should establish a national critical infrastructure protection framework with mandatory security standards for operators of essential services. This framework should include: mandatory security certifications (IEC 62443 for industrial control systems, ISO 27001 for information security management), regular penetration testing by accredited third-party assessors, mandatory incident reporting to a national CERT with defined timelines, and regular cross-agency exercises simulating coordinated state-sponsored intrusion scenarios.
The absence of such a framework at the time of the EWA compromise left critical infrastructure security standards to the discretion of individual agencies, resulting in inconsistent protections across the government.
Finally, Bahrain should invest in a national Security Operations Center (SOC) with visibility across all government agencies and critical infrastructure operators.
A centralized SOC with federated log collection would have the ability to correlate suspicious activity across EWA, NSA, MoI, and the PM’s office simultaneously, identifying the coordinated nature of the campaign far earlier than any individual agency could in isolation. Countries like the UAE (with the National Electronic Security Authority) and Saudi Arabia (with the NCA) have invested heavily in centralized cybersecurity monitoring capabilities. Bahrain’s smaller scale actually makes this approach more feasible and more urgently needed.
The Iranian intrusion into Bahrain’s EWA represents the most dangerous category of cyber operation: pre-positioning for potential physical disruption of essential services. When adversaries achieve command and control of systems managing electricity and water for an entire nation, the consequences of escalation extend beyond data to human safety. Bahrain’s PDPL was not designed for this threat landscape, and the absence of a dedicated critical infrastructure protection framework leaves the kingdom’s most essential systems governed by data protection rules inadequate for the threat they face.