Thread: Water Facilities Warned to Improve Cybersecurity as Nation-State Hackers Pounce

The water sector is under pressure to improve cybersecurity protections as hacking threats grow.


The Environmental Protection Agency and the White House met with governors last month and asked them to draw up plans by June 28 explaining how they plan to deal with major cybersecurity risks facing their state’s water and wastewater systems.


Last week, Reps. Rick Crawford (R., Ark.) and John Duarte (R., Cal.) proposed a bill that would create a governing body to develop cybersecurity mandates for water systems and work with the EPA to enforce new rules.


Many water facilities need help securing their systems because they don’t have the budget for tools or cybersecurity staff, said Kevin Morley, manager for federal relations at the American Water Works Association. The trade group was part of a lawsuit that fought a previous attempt by the EPA to mandate cyber protections for water systems, saying the cost of complying with the requirements would be out of reach for many facilities.


Training on basic cybersecurity protections is lacking, he said. “We have the haves and the have nots,” Morley said.


It can take several years and cost millions of dollars for utilities to upgrade old equipment, which is a big strain on many municipal systems, he said. Water and other critical infrastructure facilities use specialized technology for industrial processes that typically remain in use for decades and therefore lack modern cybersecurity protections.

Frank Ury, president of the board of the Santa Margarita Water District in southern California, said a main concern is that hackers are lying dormant in water facilities’ systems but could eventually launch a coordinated attack that might affect multiple areas at once. The Santa Margarita facility doesn’t have a chief information security officer and spends around 15% of its technology budget on cybersecurity, he said.


“Most agencies don’t know they’ve been compromised,” he said. Ury is also a senior client executive for CAI, a consulting firm that works with water utilities and other companies.


Hackers, often including political activist groups that typically use low-level cyberattack techniques, are targeting water facilities more frequently and in many cases find them to be insufficiently protected, said Lior Frenkel, chief executive and founder of Waterfall Security Solutions, a cybersecurity company that focuses on critical infrastructure. Waterfall works with several hundred water facilities in the U.S.

U.S. cybersecurity and law-enforcement officials have warned recently that Chinese government-sponsored hackers are targeting water facilities. In February, the Federal Bureau of Investigation said it disrupted Chinese hackers that were hiding inside American water systems and other critical infrastructure. Some digital intruders had been lurking for at least five years, the FBI said. The Chinese embassy in Washington didn’t respond to a request for comment.


Hackers targeting water facilities and other infrastructure are preparing to destroy or damage their systems, FBI Director Christopher Wray said in January. Experts in water security have warned that hackers could also adjust chemical levels in water or stop the flow of water or functioning of wastewater systems.


The Metropolitan Water District of Southern California invests in technologies that secure how employees access technology and use login credentials to prevent attacks like the kind the FBI has warned about, according to Chief Information Security Officer Jake Margolis. Still, it is difficult to know if hackers entered technology systems if they wait a long time before launching an attack, he said.


“Even if you’re doing everything right, it’s still not enough,” Margolis said.


Iran-linked attackers targeted equipment from Israeli manufacturer Unitronics, used at a U.S. water facility in Pennsylvania, the Cybersecurity and Infrastructure Security Agency said late last year. The facility disabled the controller that was affected. The Iranian foreign ministry didn’t respond to a request for comment.


The EPA hasn’t issued binding cybersecurity requirements for the water sector. The agency withdrew guidelines for water systems last year after water companies and states filed lawsuits alleging the rules would impose high costs on facilities.

wsj.com

Current affairs eh, give me a Sultana every thyme