America’s critical infrastructure could be in the crosshairs of potential adversaries as well as cybercriminals, and that includes the country’s power plants and electrical grid, but also the drinking water system. Last week, the U.S. Environmental Protection Agency Office of Inspector General announced that it identified concerns with the nation’s drinking water systems.
The OIG also found “weaknesses with reporting and coordinating responses to potential cybersecurity incidents at these water systems,” and called for greater efforts to identify and address the concerns and to coordinate responses to potential incidents.
Progress Made, Vulnerabilities Remain
Earlier this year EPA inspectors also identified “alarming cybersecurity vulnerabilities at drinking water systems across the country” and efforts were taken to address the issues, the EPA also concluded that more than 70% of inspected water systems fail to comply with the America’s Water Infrastructure Act of 2018 (AWIA).
“Unfortunately, vulnerabilities in critical infrastructure continue to be a serious issue in part because much of the equipment, while still functioning very well and the use of outdated software that is rife with vulnerabilities,” explained Erich Kron, security awareness advocate at cybersecurity provider KnowBe4.
“If the vulnerabilities in these systems were to be exploited by bad actors, the results could be extremely unpleasant,” Kron told ClearanceJobs. “From a simple disruption in service from a ransomware attack or some other similar malware that took things offline, to the potential for physical damage if attackers were to over pressurize lines or otherwise overload systems, the resultant lack of water for customers could be a severe issue.”
Most breaches at water plants are not that severe. At least for now.
“What we’re most concerned about are attacks that affect the actual infrastructure. These attacks might overflow tanks, throw off chemical balances, or otherwise prevent customers from getting water,” warned Paul Bischoff, consumer privacy advocate at cybersecurity research firm Comparitech.
Bischoff told ClearanceJobs that instead hackers break into customer accounts to steal personal details and disrupt billing and monitoring. “Although those attacks might be frustrating and can lead to fraud, they don’t affect the supply of water,” he added.
Water Is Life
As the recent natural disasters have highlighted, loss of power can be extremely problematic, but lack of access to drinkable water could result in loss of life far more quickly. Power can take days, even weeks to be restored following an emergency, and Americans can survive.
There are only so many pallets of bottled water that can be sent to a major city if a cyberattack takes the water offline – and it could be far more devastating than we’d like to consider.
Hackers and other bad actors may find that instead of stealing customer data, an attack on infrastructure could be more lucrative. Data can be sold on the dark web, but a municipality may be forced to pay a ransom when its water supply is taken offline. Even as many communities have vowed not to pay such ransoms, there may be no choice during a summer heatwave.
“While most breaches of utilities like water and sewer services have been targeted at billing and other systems that may contain customer information, we have begun to see attacks on the infrastructure itself,” said Chris Hauk, Consumer privacy champion at Pixel Privacy.
“We will likely see these increase, as government-sponsored bad actors begin to probe for weaknesses in the infrastructure of the United States and its allies,” Hauk told ClearanceJobs.
Interconnected Networks
A very serious danger is that access to those public-facing networks could allow a hacker access to the more critical infrastructure.
“In many cases, these vulnerable systems have been connected to the Internet for ease of management and potential cost savings by allowing remote monitoring. Unfortunately, many of these systems were connected without considering the serious security implications that abound when a system is accessible from the Internet,” said Kron.
There may be a need to keep such networks disconnected – and while that could limit the ability for remote monitoring, it could help ensure a breach doesn’t become a literal disaster.
“We need to separate those systems that are vulnerable to attacks on the actual water supply from those on customer accounts and websites to get a better idea of the threat we face,” suggested Bischoff.
The Warnings Are There – Will Action Follow?
Since releasing its November 2022 report that first put these concerns in the spotlight, the EPA has increased its outreach to water systems and has called for greater partnership with the states to secure water systems against the increasing risks from and consequences of potential attacks.
“This is interesting because it’s an early warning. Rather than reacting to a breach after millions of people are harmed, this is a proactive attempt to compel some action,” said Jeff Williams, co-founder and CTO at Contrast Security. “Sadly, this type of warning doesn’t usually make a difference. People tend to wait for a breach to occur.”
He told ClearanceJobs that any attack wouldn’t be significantly different from any other attack on critical infrastructure.
“Hopefully, the EPA takes additional action and funds some research into creating a solid threat model for water systems, standards and guidance for defending them, and testing and monitoring services to detect and respond to problems,” Williams continued.
Where the problem could be worse – beyond the interconnected networks – are the vulnerabilities that come from legacy outdated infrastructure.
“The potential disruption is also attractive, particularly at a nation-state level because compromise of a water facility is headline news and could ultimately cause a threat to safety,” warned Sean Arrowsmith, head of industrials at cybersecurity consulting firm NCC Group. “The vulnerabilities should then be triaged, taking into account any other aspects of the control environment that could have an impact on risk. This will allow the production of a risk-assessed list of vulnerabilities that could be prioritized for remediation. The affected companies should then implement a regime of ongoing scanning of their networks as a part of their ongoing vulnerability management and cyber hygiene.”
