US says cyberattacks against water supplies are rising, and utilities need to do more to stop them
Cyberattacks against water utilities across the country are becoming more frequent and more severe, the Environmental Protection Agency warned Monday as it issued an enforcement alert urging water systems to take immediate actions to protect the nation’s drinking water.
About 70% of utilities inspected by federal officials over the last year violated standards meant to prevent breaches or other intrusions, the agency said. Officials urged even small water systems to improve protections against hacks. Recent cyberattacks by groups affiliated with Russia and Iran have targeted smaller communities.
Some water systems are falling short in basic ways, the alert said, including failure to change default passwords or cut off system access to former employees. Because water utilities often rely on computer software to operate treatment plants and distribution systems, protecting information technology and process controls is crucial, the EPA said. Possible impacts of cyberattacks include interruptions to water treatment and storage; damage to pumps and valves; and alteration of chemical levels to hazardous amounts, the agency said.
…
McCabe named China, Russia and Iran as the countries that are “actively seeking the capability to disable U.S. critical infrastructure, including water and wastewater.”
Why are any of them not air gapped?
I've worked on SCADA systems for water automation in a municipal water supply. The meters, valve positions, and sensors can have a tunnel back to the main office and generally aren't accessible unless someone physically breaks into something. With a proper remote solution it's pretty secure (as secure as anything, anyway) to access and manage things from anywhere cutting down water waste and time when problems occur.
The issue, as usual, is people. I can't tell the story, but I can say that managers and higher ups at municipal water departments will override decisions to make things more accessible without proper protections because they refuse to understand the concept of even the most basic security. Not every water department, obviously, but I can absolutely point to several that will demand easy access with no VPN because they want to use their fucking home computer, and when you won't provide it they'll hire someone else who will.
I’ve worked on networks for water systems as well and you are right, the problem is people. Weak or default passwords, little to no physical security, it all comes down to the people in charge.
In this side of networking, typically accessibility is considered more important than security as they don’t want to be locked out of something in a pinch. With recent hacks, the opinion is changing, but slowly. The industrial world moves at snails pace compared to the enterprise side. They operate on a if it’s not broke don’t fix mentality.
I can pay my bill online. That means there is a connection between the systems. They need to add up all the water everyone in my neighborhood uses compared to how much they pumped into my neighborhood - if there is a difference there is a leak someplace. While each link only needs to be connected to the next, eventually there is a system that is connected to the internet, and so the whole cannot be air gaped. Not to mention the internet is a really easy place to connect everything to.
Also, it is really nice if you work at the utility to be able to control the pumps and valved scattered all over the city without having to physically go to each one. Or better yet automatic control - which is only possible if all the systems are connected - see above about one of those systems leading to my bill and so must be connected.
Air gap is useful for a few military systems. Everything else (including most military systems) are better off networked. However we do need to protect the network better.
They did all that before the internet. I'm not sure why the internet is necessary now.
They did - but it was a lot more work - (and often mistakes were made) and that means costs were higher. Or more likely they didn't do the work as often and so it was a lot longer before they discovered problems.
So my "prepper" neighbor is on to something...
I can't tell you what I do, but if you saw the stupid shit my firm sees, you'd be a prepper too.
This sounds like the sort of thing I've heard preppers tell me for the almost 50 years I've been around.
And I'll repeat what I usually say: If society collapses to that point, I don't want to survive the aftermath. I have no Mad Max fantasies.
No need for societal collapse. Most of my tech friends in Austin have rain collection tanks and emergency generators now after the grid collapse. Same goes with an uncle that moved to Puerto Rico.
It doesn't take much (not much at all) to put you and your family in a position where you don't have safe drinking water.
Having some sort of off-grid water storage or access method is not being a prepper.
If having off-grid water and power backup, along with some long term storage consumables (freeze dried and canned food) isn't prepping, that what is your definition of prepping?
Hoarding guns and alienating your family.
That's covers most of MAGA.
How long do you expect to be without water and power and have to eat your own food?
Because the people I'm talking about are suggesting indefinitely. No thank you.
Society will not collapse. If it does odds are you won't survive what caused the collapse in the first place. (if you are a prepper make sure your neighbors know how to access you stash - both so that it doesn't go to waste if you can't get to it and because even if you can get to it you will need whatever neighbors survive to rebuild society)
However there are a lot of disasters that are much more likely that society collapse that are worth being prepared for.
As I said to the other person, that's not being a prepper. The whole idea behind being a prepper is that "The Big One" is coming.
Right, I'm saying the big one isn't coming - and even if it comes you won't survive so what is the point.
What does your firm do and what do you see?
We specialize in data and system optimizations for enterprise critical applications.
ProTip: Contest your electric bills. Most states allow you to do so and the utility company will have to provide your meter reading data to back up the bill.
Is there any guarantee the utility company won't just drop you like a rock when they're fed up with contesting bills? (That is a serious question, most of us are locked in by utility monopolies so if that is a risk it would be borderline life ruining)
No. Large commercial customers contest their bills constantly.
They cannot legally do that in most areas. So long as you pay your actually bills they have to serve you. If you contest the bills and then never pay when the real bill is given they can disconnect you, but so long as you pay up they have to serve you. Where I live even if they disconnect you they have to reconnect you every winter.
Note that if you contest bills that are correct they can sue you. It isn't worth their time if it is just you (they would spend a million dollars in legal fees to get $1000), but if people start contesting legitimate bills they will start making examples of the loudest people. Pay your legitimate bills without complaint is the best advice here. Contest if they actually are wrong, this can happen, but it isn't common.
If you cannot pay your utility bills contact your utility - they are programs in place for the poor and they will guide you to them (they want their money, they don't care where it comes from)
And here lies the problem. It is actually very common. I know of one major utility company that has been "estimating" 70%+ of their residential bills for years. They cannot get a handle on it and they haven't had full, clean data for years...so how are they estimating? They aren't. They are guesstimates. That's why they hired us.
That's the most extreme case due to the sheer number of households, but most do it. We only have one customer that has hired us to help them achieve their goal of zero estimates. One. Most just want to reach "good enough for minimum regulatory compliance".
I would guess that in many (or even most) areas that don't have municipal utilities, the commercial utility is under no legal obligation to provide their service to you. Otherwise, they couldn't shut off people's electricity or water for non-payment.
Our water and electric data is collected from wireless readers. Are you saying they are not reporting accurately?
I'm skirting really close to my NDA here but think about this. Imagine a city has ~3,000,000 active meters. Each meter polls every five minutes or so (more often if it is a gas meter). Legal retention is about seven years. Usage reports are due to market daily. Given that this is exclusively a cost, executives aren't keen on throwing buckets of money at it. So, in this "imaginary" scenario, what are the odds that things will go smoothly?
"I don't need a safety on a gun! Safety is for sissies! ......[incident]..... Gah, I just blew my fucking foot off! Why didn't anybody WARN me of the danger, this is all the goverment's fault!"
Congress needs to enact something with teeth so the government can enforce netsec on important commercial infrastructure.
They also need to be forced to be transparent about breaches (at least to the go).