Matthew
Holt, publisher of The Health Care Blog, thinks I worry too much about
too many things. He’s probably right. But here’s one worry I’d be remiss in not
alerting people to: your water supply is not as safe – not nearly as safe – as
you probably assume it is.
I’m not talking about the danger of lead pipes. I’m not even talking about the danger of microplastics in your water. I’ve warned about both of those before (and I’m still worried about them). No, I’m worried we’re not taking the danger of cyberattacks against our water systems seriously enough.
A week ago
the EPA issued an enforcement alert about cybersecurity vulnerabilities
and threats to community drinking water systems. This was a day after EPA head
Michael Regan and National Security Advisor Jake Sullivan sent a letter to all
U.S. governors warning them of “disabling cyberattacks” on water and wastewater
systems, and urging them to cooperate in safeguarding those infrastructures.
“Drinking
water and wastewater systems are an attractive target for cyberattacks because
they are a lifeline critical infrastructure sector but often lack the resources
and technical capacity to adopt rigorous cybersecurity practices,” the letter
warned. It specifically cited known state-sponsored attacks from Iran and
China.
The
enforcement alert elaborated:
Cyberattacks
against CWSs are increasing in frequency and severity across the country. Based
on actual incidents we know that a cyberattack on a vulnerable water system may
allow an adversary to manipulate operational technology, which could cause
significant adverse consequences for both the utility and drinking water
consumers. Possible impacts include disrupting the treatment, distribution, and
storage of water for the community, damaging pumps and valves, and altering the
levels of chemicals to hazardous amounts.
Next
Gov/FCW paints a grim picture of how vulnerable
our water systems are:
Multiple nation-state adversaries have been able to
breach water infrastructure around the country. China has been deploying its
extensive and pervasive Volt Typhoon hacking collective, burrowing into vast
critical infrastructure segments and positioning along compromised internet
routing equipment to stage further attacks, national security officials have
previously said.
In November, IRGC-backed cyber operatives broke into industrial water
treatment controls and targeted programmable logic controllers made by Israeli
firm Unitronics. Most recently, Russia-linked hackers were confirmed to have breached
a slew of rural U.S. water systems, at times posing physical safety threats.
Aftermath of a cyberattack on The Municipal Water Authority of Aliquippa. Credit" MWAA |
We shouldn’t be surprised by these attacks. We’ve come to learn that China, Iran, North Korea, and Russia have highly sophisticated cyber teams, but, when it comes to water systems, it turns out the attacks don’t have to be all that sophisticated. The EPA noted that over 70% of water systems it inspected did not fully comply with security standards, including such basic protections such as not allowing default passwords.
NextGov/FCW
pointed out that last October the EPA was
forced to rescind requirements that water agencies at least evaluate their
cyber defenses, due to legal challenges from several (red) states and the
American Water Works Association. Take that in. I’ll bet China, Iran, and
others are evaluating them.
“In an
ideal world ... we would like everybody to have a baseline level of
cybersecurity and be able to confirm that they have that,” Alan Roberson,
executive director of the Association of State Drinking Water Administrators, told AP. “But that’s a long ways away.”
Tom Kellermann, SVP of Cyber Strategy at Contrast Security told
Security Magazine: “The
safety of the U.S. water supply is in jeopardy. Rogue nation states are
frequently targeting these critical infrastructures, and soon we will
experience a life-threatening event.” That doesn’t sound like a long ways away.
Similarly,
Professor Blair Feltmate, an expert
in water systems at the University of Waterloo in Canada, told Newsweek: “The
U.S. Southwest is on the edge of being out of water, due to a combination of
climate-change driven extreme heat, growing drought and excess demand.
Nonetheless, survival in the Southwest depends on this increasingly precarious
water supply—as such, cyber bad guys will likely target this region using a
'kick 'em while they are down' logic.”
On the
other hand, David Reckhow, Emeritus professor at UMass Amherst, also told
Newsweek: “All community
water systems are somewhat vulnerable to intentional contamination, but it's
unlikely that cyberattack would result in a serious compromise in water quality
or public health. On the other hand, a cyberattack could result in financial
difficulties.”
In the
interim, the EPA plans to increase the number of planned inspections, but EPA spokesperson Jeffrey Landis admitted to CNN the
agency is “not receiving additional resources to support this effort.” It has
88 credentialled inspectors; there are something like 50,000 community water
systems. Those are not encouraging ratios. I’ll bet Iran’s IRGC and China’s
Volt Typhoon have more than 88 hackers…each.
Part of the problem is that many water systems just haven’t
seen cybersecurity as key to what they do. Amy Hardberger, a water
expert at Texas Tech University, told
CBS News: “Certainly, cybersecurity is part of that, but that's
never been their primary expertise. So, now you're asking a water utility to
develop this whole new sort of department.”
Yes, we are.
I hope a lot of water systems take this. Credit: EPA |
It’s not as though water systems are all that robust
generally. Drinking water infrastructure got a C- in the last
ASCE Infrastructure Report Card, with the acknowledgement: “Unfortunately,
the system is aging and underfunded.” It could have added: “and woefully
unprepared for cyberattacks.”
So, we
could have our water shut off, or made undrinkable through changes to how the
water is processed. We’ve seen how corporations respond to ransom demands when,
say, data is held hostage; what would we agree to in order to get safe water
back? We worry about missiles carrying bombs or chemical weapons, so why aren’t
we more worried about attacks to the safety of our water?
And, in
case you were wondering, water infrastructure is not the only infrastructure vulnerable
to cyberattacks; the electric
grid and even dams
have been targeted. But safe water is about as basic a need as there is.
Safe water
was one of the greatest
public health triumphs of the 20th century. Let’s hope we can
keep it safe in the 21st century.
No comments:
Post a Comment