Cyberattacks against water utilities across the country are becoming more frequent and more severe, the Environmental Protection Agency warned Monday as it issued an enforcement alert urging water systems to take immediate actions to protect the nation’s drinking water.
About 70% of utilities inspected by federal officials over the last year violated standards meant to prevent breaches or other intrusions, the agency said. Officials urged even small water systems to improve protections against hacks. Recent cyberattacks by groups affiliated with Russia and Iran have targeted smaller communities.
Some water systems are falling short in basic ways, the alert said, including failure to change default passwords or cut off system access to former employees. Because water utilities often rely on computer software to operate treatment plants and distribution systems, protecting information technology and process controls is crucial, the EPA said. Possible impacts of cyberattacks include interruptions to water treatment and storage; damage to pumps and valves; and alteration of chemical levels to hazardous amounts, the agency said.
…
McCabe named China, Russia and Iran as the countries that are “actively seeking the capability to disable U.S. critical infrastructure, including water and wastewater.”
We could do that… or we could raise rates again for the third time this month and record another year of record profits. After much consideration, we’ll do the latter, but you better be ready to bail us out if we get hacked.
Water and sewer are overwhelmingly public utilities in the US. This is more a case of small-time bureaucratic incompetence than corporate avarice – think along the lines of your grandpa writing the default Wifi password on the front of the router because he can’t remember it and doesn’t know how to change it, except Grandpa is in charge of a rural water district, and the router is the control system for the chlorine treatment.
Where water service is expensive in the US it’s usually because decades-old infrastructure built to support far-flung suburban development are starting to fall apart, and there was never a plan to pay for replacement. Some places are also being required by the EPA to separate ancient combined storm and sanitary sewers, which basically entails a complete replacement of the sewers at a cost of billions. Infrastructure is expensive to maintain, especially if you spend a few decades ignoring it first.
And when the rural communities can’t afford to do the EPA mandated updates, they sell out to a publicly traded, for profit corporation…who raises basic utility fees multiple times over the short span they’ve owned and operated the infrastructure of the rural communities.
I’m not saying you’re wrong in every instance, as what you’ve said holds true a lot of the time. Just not in this very specific, albeit anecdotal, instance.
So there is also the classic issue of underfunding of municipal services. Good luck getting qualified security people for what local government pays.
Why are any of them not air gapped?
I’ve worked on SCADA systems for water automation in a municipal water supply. The meters, valve positions, and sensors can have a tunnel back to the main office and generally aren’t accessible unless someone physically breaks into something. With a proper remote solution it’s pretty secure (as secure as anything, anyway) to access and manage things from anywhere cutting down water waste and time when problems occur.
The issue, as usual, is people. I can’t tell the story, but I can say that managers and higher ups at municipal water departments will override decisions to make things more accessible without proper protections because they refuse to understand the concept of even the most basic security. Not every water department, obviously, but I can absolutely point to several that will demand easy access with no VPN because they want to use their fucking home computer, and when you won’t provide it they’ll hire someone else who will.
I’ve worked on networks for water systems as well and you are right, the problem is people. Weak or default passwords, little to no physical security, it all comes down to the people in charge.
In this side of networking, typically accessibility is considered more important than security as they don’t want to be locked out of something in a pinch. With recent hacks, the opinion is changing, but slowly. The industrial world moves at snails pace compared to the enterprise side. They operate on a if it’s not broke don’t fix mentality.
I can pay my bill online. That means there is a connection between the systems. They need to add up all the water everyone in my neighborhood uses compared to how much they pumped into my neighborhood - if there is a difference there is a leak someplace. While each link only needs to be connected to the next, eventually there is a system that is connected to the internet, and so the whole cannot be air gaped. Not to mention the internet is a really easy place to connect everything to.
Also, it is really nice if you work at the utility to be able to control the pumps and valved scattered all over the city without having to physically go to each one. Or better yet automatic control - which is only possible if all the systems are connected - see above about one of those systems leading to my bill and so must be connected.
Air gap is useful for a few military systems. Everything else (including most military systems) are better off networked. However we do need to protect the network better.
They did all that before the internet. I’m not sure why the internet is necessary now.
They did - but it was a lot more work - (and often mistakes were made) and that means costs were higher. Or more likely they didn’t do the work as often and so it was a lot longer before they discovered problems.
So my “prepper” neighbor is on to something…
Congress needs to enact something with teeth so the government can enforce netsec on important commercial infrastructure.
They also need to be forced to be transparent about breaches (at least to the go).
The EPA has faced setbacks. States periodically review the performance of water providers. In March 2023, the EPA instructed states to add cybersecurity evaluations to those reviews. If they found problems, the state was supposed to force improvements.
But Missouri, Arkansas and Iowa, joined by the American Water Works Association and another water industry group, challenged the instructions in court on the grounds that EPA didn’t have the authority under the Safe Drinking Water Act. After a court setback, the EPA withdrew its requirements but urged states to take voluntary actions anyway.
The Safe Drinking Water Act requires certain water providers to develop plans for some threats and certify they’ve done so. But its power is limited.
“I don’t need a safety on a gun! Safety is for sissies! …[incident]… Gah, I just blew my fucking foot off! Why didn’t anybody WARN me of the danger, this is all the goverment’s fault!”
