On Monday, the EPA released an enforcement alert encouraging water systems to take immediate action to protect the nation’s drinking water as cyberattacks against water utilities across the country are escalating in frequency and severity:
This Enforcement Alert provides community water systems (CWSs) with information on immediate steps they can take to ensure compliance with SDWA Section 1433 and to reduce cybersecurity vulnerabilities.
Cyberattacks against CWSs are increasing in frequency and severity across the country. Based on actual incidents we know that a cyberattack on a vulnerable water system may allow an adversary to manipulate operational technology, which could cause significant adverse consequences for both the utility and drinking water consumers. Possible impacts include disrupting the treatment, distribution, and storage of water for the community, damaging pumps and valves, and altering the levels of chemicals to hazardous amounts.
Implementing basic cyber hygiene practices can help your utility prevent, detect, respond to, and recover from cyber incidents. Because water utilities often rely on computer software to operate their treatment plants and distribution systems, protecting information technology and process control systems from cyberattacks is vital. Small water systems are not immune from cyberattacks. Recently, disruptive cyberattacks from adversarial nation states have impacted water systems of all sizes, including many small systems. As a result of these increased threats, EPA is increasing its enforcement activity to protect our nation’s drinking water.
Here’s some insights from Tom Marsland, VP of Technology, Cloud Range, and Board Chairman of VetSec that I got in my inbox on Tuesday:
“Yesterday, the EPA issued an enforcement alert due to the increase in attacks on United States critical infrastructure. The EPA outlined the existing rules and regulations governing drinking water systems and cyber security and effectively put operators on notice that they are increasing inspections and enforcement. This alert is simply that – an alert, to the rules and regulations that are already in place. While it is a step in the right direction, it does not go far enough to secure our nation’s critical infrastructure. While cyber domain borders are ambiguous due to the very infrastructure the internet is built on, there must be a clear line drawn with defending critical infrastructure, and the government must make clear that attacks on a drinking water system operator are attacks on the United States.
Not only should the EPA enforce the existing rules on the books, but until the punishments of ignoring the rules outweigh the cost of actually hiring cybersecurity professionals to work on these systems, these clear lapses in cyber hygiene will continue. In many cases, smaller operators simply do not have the budget or the education to secure their networks. The federal, state, and local governments must provide more resources, and quickly, to enable private operators to secure our cyber borders before we do see damage to equipment and harm come to the people consuming water from these systems.”
Threat actors will always go for the soft target and it looks like drinking water systems are on the list. That’s not good as a well placed attack will harm a lot of people. Hopefully the people who run these systems are paying attention so that this critical infrastructure is properly secured.
Related
This entry was posted on May 22, 2024 at 8:53 am and is filed under Commentary with tags EPA. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
EPA Issues Enforcement Alert For Water Systems In The US
On Monday, the EPA released an enforcement alert encouraging water systems to take immediate action to protect the nation’s drinking water as cyberattacks against water utilities across the country are escalating in frequency and severity:
This Enforcement Alert provides community water systems (CWSs) with information on immediate steps they can take to ensure compliance with SDWA Section 1433 and to reduce cybersecurity vulnerabilities.
Cyberattacks against CWSs are increasing in frequency and severity across the country. Based on actual incidents we know that a cyberattack on a vulnerable water system may allow an adversary to manipulate operational technology, which could cause significant adverse consequences for both the utility and drinking water consumers. Possible impacts include disrupting the treatment, distribution, and storage of water for the community, damaging pumps and valves, and altering the levels of chemicals to hazardous amounts.
Implementing basic cyber hygiene practices can help your utility prevent, detect, respond to, and recover from cyber incidents. Because water utilities often rely on computer software to operate their treatment plants and distribution systems, protecting information technology and process control systems from cyberattacks is vital. Small water systems are not immune from cyberattacks. Recently, disruptive cyberattacks from adversarial nation states have impacted water systems of all sizes, including many small systems. As a result of these increased threats, EPA is increasing its enforcement activity to protect our nation’s drinking water.
Here’s some insights from Tom Marsland, VP of Technology, Cloud Range, and Board Chairman of VetSec that I got in my inbox on Tuesday:
“Yesterday, the EPA issued an enforcement alert due to the increase in attacks on United States critical infrastructure. The EPA outlined the existing rules and regulations governing drinking water systems and cyber security and effectively put operators on notice that they are increasing inspections and enforcement. This alert is simply that – an alert, to the rules and regulations that are already in place. While it is a step in the right direction, it does not go far enough to secure our nation’s critical infrastructure. While cyber domain borders are ambiguous due to the very infrastructure the internet is built on, there must be a clear line drawn with defending critical infrastructure, and the government must make clear that attacks on a drinking water system operator are attacks on the United States.
Not only should the EPA enforce the existing rules on the books, but until the punishments of ignoring the rules outweigh the cost of actually hiring cybersecurity professionals to work on these systems, these clear lapses in cyber hygiene will continue. In many cases, smaller operators simply do not have the budget or the education to secure their networks. The federal, state, and local governments must provide more resources, and quickly, to enable private operators to secure our cyber borders before we do see damage to equipment and harm come to the people consuming water from these systems.”
Threat actors will always go for the soft target and it looks like drinking water systems are on the list. That’s not good as a well placed attack will harm a lot of people. Hopefully the people who run these systems are paying attention so that this critical infrastructure is properly secured.
Share this:
Like this:
Related
This entry was posted on May 22, 2024 at 8:53 am and is filed under Commentary with tags EPA. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.