New report details cyber vulnerabilities in US water infrastructure
Danny Jenkins, CEO and co-founder of cybersecurity firm ThreatLocker, was terrified when he first heard details of a cyberattack on a water treatment plant in Florida earlier this year.
Officials said hackers exploited an outdated version of Windows with the apparent aim of poisoning a local community’s water supply. Jenkins, was not only alarmed that hackers had managed to remotely access the plant’s TeamViewer software to increase sodium hydroxide levels to a lethal dose, but that a single operator could potentially tamper with chemical levels – it doesn’t matter if that person was a hacker or a utility employee.
“Why was an operator, one person, able to turn a dial that could poison the water? Jenkins said in a recent interview with FCW. “Water companies tend to live in the past because their technologies live in the past… Whatever IT elements and controls we put in place, the limits must also be put in place.
On Tuesday, ThreatLocker released a report titled Protect hydraulic infrastructures against cyber attacks, which explores the challenges faced by water utilities when seeking to improve their cybersecurity posture. Jenkins said he hoped the report could serve as a framework for officials tasked with creating new cybersecurity best practice guidelines for water management and other critical industries before the Sept. 22 deadline to the White House. memorandum on improving the cybersecurity of critical infrastructure control systems.
Water utilities plagued by lack of funding for IT cybersecurity
ThreatLocker’s report detailed the extremely limited information technology (IT) and operational technology (TO) financial resources for water utilities across the country.
For example, at least 38% of systems nationwide have allocated less than 1% of their overall budget to IT cybersecurity, according to the Audit Association’s “State of the Cyber Security Industry 2021” and control of information systems (ISACA). Another 22.1% of systems were only allocating 1% to 5% of their budget to resolve IT cybersecurity issues.
National and local infrastructure advocates have testified on Capitol Hill in recent weeks about the need to increase federal investments in cybersecurity resources around water infrastructure for rural and small communities.
The $ 1 trillion infrastructure bill currently under consideration by the US Senate also includes a section on cybersecurity support for public water supply systems as part of a planned investment of $ 48.4 billion dollars in water infrastructure. The bill mandates the Cybersecurity and Infrastructure Security Agency (CISA) to prioritize risks to public water systems and drinking water sources. Under the bill, federal officials will provide site vulnerability and risk assessments, as well as additional support and consultation, for public water systems that CISA believes should be a priority for the site. cybersecurity support.
A federal audit process for water utilities similar to that detailed in legislation can also help provide clearer and standardized regulations for any public water supply system in the hope of improving its cyber posture. , Jenkins said.
Experts at a Senate Environment and Public Works Committee hearing in July highlighted federal initiatives they say are currently underutilized, such as the Rural Water Circuit Rider Program, which can provide technical assistance. such as training in cybersecurity and other resources for water utilities and their employees.
The water industry has largely failed to establish clear and universal cybersecurity guidelines on its own, the report notes, with the management of water infrastructure typically left to local municipalities or private companies.
A recent survey by the Water Information Sharing and Analysis Center (Water-ISAC) showed that a majority of water utilities have yet to fully assess the risks to their own IT assets.
While additional financial resources can go a long way in improving the cyber posture, Jenkins noted that water utilities need clear guidance on how to spend the funds in order to adequately protect their infrastructure.
“I hope the government comes up with tangible guidelines that people can actually follow, as opposed to vagueness,” he said. “Everyone wants a list of ways to move forward. No one knows what to do right now.”
Chris Riotta is a writer at FCW and covers government procurement policy and technology. Chris joined FCW after covering American politics for three years at The Independent. He received his Masters degree from Columbia University Graduate School of Journalism, where he served as Class 2021 President.