Image Source: Krebs on Security
Recently a hacker in Florida broke into a town's water supply system and tried to poison it. This story went viral and hit the front pages as it bridged the cyber world and the real word. Thanks to an alert supervisor, the increased sodium hydroxide level was flagged and reverted immediately, but the incident raises great concerns. Security reporter Brian Krebs posted a detailed analysis on the incident on KrebsonSecurity, and here are a few of the highlights.
Security analysts have been warning about these types of attacks on infrastructure for years, and yet there are few known incidents. In fact, the only reason we know so much about this event is that the county sheriff, Bob Gualtieri held a press conference on the event. Most likely, an inexperienced intruder figured out how to get into the system, didn't try to hide their actions, and then made some changes. There are a number of other safeguards in place to prevent danger to the public for this particular attack, but the fact is that access was achieved, and a more advanced adversary could do more harm. KrebsonSecurity spoke to experts around the country to gather more facts:
- There are about 54,000 water systems in the U.S.
- The vast majority serve under 50,000 residents
- Virtually all of them rely on remote access to monitor and administer these facilities, leaving them potentially vulnerable to this type of incident.
- Many are underfunded and don't have resources to watch IT operations 24/7
- Many have not separated operational technology from safety systems.
KrebsonSecurity points out that the most unique aspect of this month's attack is that we heard about it. There is no requirement to report such events. The only regulation that applies to cybersecurity of water treatment facilities in the U.S. is America's Water Infrastructure Act of 2018, which requires water systems serving more than 3,300 people "to develop or update risk assessments and emergency response plans."
Most Local IT departments don't have the resources to perform in-depth cybersecurity reviews and upgrade security protocols like two-factor authentication and 24x7 monitoring. "Attacks that involved the step of actually manipulating things is a pretty short list" according to Andrew Hildick-Smith, a consultant who served nearly 20 years managing remote access systems for the Massachusetts Water Resources Authority. Ransomware attacks, and hijacking a computer of convenience for financial transactions, are much more common.
This should be a wake up call for all of us. The Water Infrastructure Act of 2018, gives utilities serving fewer than 50,000 residents until the end of June 2021 to complete a cybersecurity risk and resiliency assessment. Even without specific consequences, this is at least a big step in the right direction.
Is your local water safe? Today, Cybersecurity is a big part of the answer.
For the full article, visit KrebsonSecurity.