White House Issues Warning About Cyber Attacks Targeting US Water Systems
In a letter released by the White House on the 18th of March, the Environmental Protection Agency and National Security Advisor have warned US state governors about cyber attacks that “have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.” These attacks, in which malicious actors target operational facilities and compromise critical systems, have affected several cities across the United States. In response to the breaches in affected areas, measures have been swiftly implemented, including automated testing, to ensure the safety of consumers. Fortunately, no damage has been reported thus far.
There have been several instances of cyber attacks targeting water systems. For example, in February 2021, a hacker attempted to poison the water supply of Oldsmar, Florida, by gaining unauthorized access to the city’s water treatment system through dormant software. Also, in 2019, the city of New Orleans declared a state of emergency following a cyber attack on its computer systems, which also affected the billing and customer service systems of the Sewerage and Water Board.
When critical infrastructures like water systems are attacked, several cybersecurity concerns arise. One major concern is the potential for hackers to disrupt or disable the operation of the water treatment and distribution systems, leading to water contamination or extended supply disruptions. Another concern is the unauthorised access to sensitive information or control systems, which could be used to manipulate water quality or distribution. Additionally, there’s the risk of ransomware attacks, where hackers could encrypt critical systems and demand payment for their release. Overall, the cybersecurity concerns related to attacks on water systems are significant and require robust defence measures to safeguard these essential infrastructures.
These facilities are attractive targets for cyber-attacks because, despite their importance, they are usually under-resourced and cannot implement the latest security measures. One of the weaknesses cited in the system was weak passwords with less than 8 characters. Additionally, the majority of the workforce in these facilities are above 50 years old and have little awareness of the cybersecurity issues facing public facilities. There is the bureaucracy problem, which requires excessive paperwork and several steps to get approval for simple changes to existing systems.
To address cybersecurity concerns in water systems, remediation measures include implementing stronger password policies with multi-factor authentication, providing cybersecurity training for staff, updating and patching systems, utilizing network segmentation to isolate critical systems, deploying advanced monitoring systems for real-time threat detection, establishing detailed incident response plans, and conducting regular security assessments and penetration testing to mitigate vulnerabilities. These measures collectively enhance the security posture of water treatment and distribution facilities, mitigating the risks associated with cyber-attacks while promoting proactive cybersecurity measures and preparedness.
