On Tuesday, the White House and Environmental Protection Agency warned US governors in a letter that cyberattacks are hitting water and wastewater systems “throughout the United States”, and state governments and water facilities must improve their defenses against the threat.
“We need your support to ensure that all water systems in your state comprehensively assess their current cybersecurity practices,” said the letter to the governors from EPA Administrator Michael Regan and national security adviser Jake Sullivan.
The US water sector spans 150,000 public water systems and, in many cases, Regan and Sullivan said, “even basic cybersecurity precautions” are not in place at water facilities and “can mean the difference between business as usual and a disruptive cyberattack.”
The EPA also announced it will set up a “task force” to “identify the most significant vulnerabilities of water systems to cyberattacks,” among other pressing issues. White House officials invited state homeland security and environmental officials to a meeting to discuss cybersecurity improvements needed in the water sector.
Emily Phelps, Director, Cyware had this comment:
“The recent warnings from the White House and the EPA highlight a critical and growing threat to our nation’s infrastructure: cyberattacks targeting water and wastewater systems. This underscores the urgent need for investment in modern security capabilities to safeguard these essential services. The lack of fundamental cybersecurity precautions in many facilities poses a significant risk, potentially turning a minor breach into a major disruption. Ensuring the resilience of our water infrastructure against cyber threats is not just a matter of national security, but also of public health and safety, requiring collaborative efforts at all levels of government and between the public and private sectors.”
Dave Ratner, CEO, HYAS follows with this comment:
“The impact of a cyber attack on critical infrastructure, such as water systems, could be devastating and even life-impacting. It’s critical that everyone who provides critical infrastructure and services, not just water and wastewater systems, augment their security stack with resiliency-based approaches, such as Protective DNS, so they can detect in real-time any and all anomalous activity, render it inert before it causes damage, and ensure the safety of their services and the people who rely on them.”
John Gunn, CEO, Token adds this comment:
The biggest risk is the successful attacks on critical infrastructure that we have not yet detected. These are ticking time bombs. Imagine China invades Taiwan and we support our ally, or another scenario that leads to a broader conflict, China could then activate their earlier compromises and potentially cut off water, power, and other critical services for tens of millions of American citizens.
We’re all in this together. Thus we need to start acting like it or critical infrastructure will simply become the “go to” attack point for threat actors with citizens paying the price.
UPDATE: Mark B. Cooper, President & Founder, PKI Solutions supplied this comment:
“The recent communication from the White House and the EPA to US governors underscores the urgent need for cybersecurity in the water sector. With 150,000 public systems at risk and many lacking basic safeguards, the call for access to comprehensive security evaluations is critical. The formation of a task force to pinpoint vulnerabilities, along with planned strategic discussions and the appropriate funding it takes to implement the strategic plans, highlights the concerted effort needed to safeguard this critical infrastructure from cyber threats.
“Digital Certificates and the Public Key Infrastructure (PKI) that manages the digital certificates play a crucial role in providing advanced encryption methods that secures access and secures data, yet they are frequently underestimated and not managed properly. Posture Management for the Digital Certificates and the PKI needs to be a core requirement in the cybersecurity plans implemented to protect our water sector.”
EPA Issues Enforcement Alert For Water Systems In The US
Posted in Commentary with tags EPA on May 22, 2024 by itnerdOn Monday, the EPA released an enforcement alert encouraging water systems to take immediate action to protect the nation’s drinking water as cyberattacks against water utilities across the country are escalating in frequency and severity:
This Enforcement Alert provides community water systems (CWSs) with information on immediate steps they can take to ensure compliance with SDWA Section 1433 and to reduce cybersecurity vulnerabilities.
Cyberattacks against CWSs are increasing in frequency and severity across the country. Based on actual incidents we know that a cyberattack on a vulnerable water system may allow an adversary to manipulate operational technology, which could cause significant adverse consequences for both the utility and drinking water consumers. Possible impacts include disrupting the treatment, distribution, and storage of water for the community, damaging pumps and valves, and altering the levels of chemicals to hazardous amounts.
Implementing basic cyber hygiene practices can help your utility prevent, detect, respond to, and recover from cyber incidents. Because water utilities often rely on computer software to operate their treatment plants and distribution systems, protecting information technology and process control systems from cyberattacks is vital. Small water systems are not immune from cyberattacks. Recently, disruptive cyberattacks from adversarial nation states have impacted water systems of all sizes, including many small systems. As a result of these increased threats, EPA is increasing its enforcement activity to protect our nation’s drinking water.
Here’s some insights from Tom Marsland, VP of Technology, Cloud Range, and Board Chairman of VetSec that I got in my inbox on Tuesday:
“Yesterday, the EPA issued an enforcement alert due to the increase in attacks on United States critical infrastructure. The EPA outlined the existing rules and regulations governing drinking water systems and cyber security and effectively put operators on notice that they are increasing inspections and enforcement. This alert is simply that – an alert, to the rules and regulations that are already in place. While it is a step in the right direction, it does not go far enough to secure our nation’s critical infrastructure. While cyber domain borders are ambiguous due to the very infrastructure the internet is built on, there must be a clear line drawn with defending critical infrastructure, and the government must make clear that attacks on a drinking water system operator are attacks on the United States.
Not only should the EPA enforce the existing rules on the books, but until the punishments of ignoring the rules outweigh the cost of actually hiring cybersecurity professionals to work on these systems, these clear lapses in cyber hygiene will continue. In many cases, smaller operators simply do not have the budget or the education to secure their networks. The federal, state, and local governments must provide more resources, and quickly, to enable private operators to secure our cyber borders before we do see damage to equipment and harm come to the people consuming water from these systems.”
Threat actors will always go for the soft target and it looks like drinking water systems are on the list. That’s not good as a well placed attack will harm a lot of people. Hopefully the people who run these systems are paying attention so that this critical infrastructure is properly secured.
Leave a comment »