Top | |
Newsletter 7/19/2022 |
Back to Contents A Printable PDF of this post is available here. |
Water, Water, Everywhere
Source: https://www.watereducation.org/aquapedia/wastewater-treatment-process-california
On July
16, 2022,
it was reported that "The Narragansett Bay Commission, which
runs sewer systems in parts of the metropolitan Providence and
Blackstone Valley areas, was hit by a ransomware attack on its computer
systems." The
response by the water district was less than
forthcoming. In a terse response in an email, "Last week, the
Narragansett Bay Commission identified a cybersecurity incident that
involved the encryption of data on certain computers and systems in its
network."
The water sector quietly began preparing for a possible
onslaught of cyberattacks from Russia more than two months ago, when
rumblings of an invasion of Ukraine were being discussed at the White
House.
The fear of compromised water systems is quite real, as indeed it should
be, to those charged
with defending this nation's infrastructure. As the article cited
above states, “Russia pretty much has the capacity to do what it
wants to do, just like [the National Security Agency] has the capacity
to do what it wants to do,” Arceneaux continued. “Whether they
do it or not is another question, and which target they pick is another
question as well.” One of the pumps then stopped working, causing wastewater to be discharged into the seabed, poisoning local flora and fauna, and creating foul odours in the surrounding area... Before succeeding, the individual is thought to have carried out no fewer than 46 attempts to hack the factory’s information systems, without ever being detected. This attack did, however, prove the "the vulnerability of the world of water to cyber threats."
Water security is a subject I do not think all of our municipal leaders
have gotten their minds around. And as is always the case, the
smaller the water district is, then the fewer resources that water district
will have to apply to cyber security. The U.S. water and wastewater sector’s leading national associations and research foundations established the Water Information Sharing and Analysis Center (WaterISAC) in 2002, in coordination with the U.S. Environmental Protection Agency. That same year, it was authorized by Congress in the Bioterrorism Act. WaterISAC is the designated information sharing and operations arm of the Water Sector Coordinating Council. And what are the best recommendations of this group of wet cybersleuths? Since security is always dependent on multiple layers of protection, it is essential that everyone uses strong and unique passwords, patching is kept up to date, backups are regularly made and stored off the network, and users are given regular awareness training. WaterISAC also advises utilities have cybersecurity incident response plans with constant employee awareness training. Some of its primary recommendations for protecting against cyberattacks include: • Multi-factor authentication; • Anti-virus and anti-malware programs; • Enabling spam filtering to prevent phishing emails from getting through; • Keeping software up-to-date and filtering network traffic that monitors threat indicators; and • Developing and being prepared to implement incident response plans Where have we heard all that before? It might has well had come from the advice AOL or Microsoft offer to newbies on the web. Except for the incident response, these are the basics of cybersecurity today. None of this seems to me to particularly address the newest and most dangerous aspect of securing water systems from cyberattack. The industrial controls themselves that monitor and control these water plants are now under concerted and constant attack. Defending against these very sophisticated attacks requires a little more effort than running Windows Update, and changing your password frequently, although these are both quite good things to do. If there was ever a subject that offers up a real world example of the basic tenet of Zero Trust it is water security. The sewage water that runs into the plant gets treated and then sent elsewhere. An error anywhere along the line could have vast consequences far from the actual source of the problem. So Tots and Pears ain't going get the job done.
The river flows |
Back to Top Gerald Reiff |
Back to Top | next post → |