fbpx
info@techframework.com | Fort Collins, Loveland, Greeley

BLOG

Home / Blog/Critical Cybersecurity Risks in U.S. Drinking Water Systems

Critical Cybersecurity Risks in U.S. Drinking Water Systems

Posted on November 15, 2024 in Cybersecurity, by Al Harris

Cybersecurity vulnerabilities in critical infrastructure have far-reaching consequences, and U.S. drinking water systems are no exception. A recent report from the Environmental Protection Agency’s (EPA) Office of Inspector General (OIG) highlights a concerning reality: 97 drinking water systems, serving approximately 26.6 million Americans, have been identified as having “critical or high-risk” cybersecurity vulnerabilities.

The implications of these findings underscore the urgency of addressing cybersecurity threats to safeguard our water systems from potentially catastrophic events.

The Scope of the Problem

The OIG’s assessment of 1,062 drinking water systems, serving over 193 million people, revealed alarming statistics:

  • 97 systems are at critical or high-risk levels.
  • 211 systems have medium or low-severity vulnerabilities due to externally visible open portals, impacting an additional 82.7 million Americans.

These vulnerabilities expose water systems to potential service disruptions or physical damage, posing serious risks to public health and safety.

A Lack of Centralized Reporting

One key issue identified in the report is the lack of an EPA-specific incident reporting system for water and wastewater systems. Currently, the EPA relies on the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to handle incident reporting. However, there are no documented policies or procedures outlining this coordination.

Without a streamlined reporting system, communication delays could hinder responses to cybersecurity incidents, leaving critical water systems exposed to threats for longer periods.

Active Threats and Real-World Risks

Cybersecurity experts have warned about threat actors actively targeting water systems:

  • Salt Typhoon and Volt Typhoon, known cyber adversaries, are exploiting vulnerabilities in U.S. water systems.
  • The decentralized nature of water management in the U.S., spanning federal, state, local, and commercial entities, contributes to uneven security practices.

Ken Dunham, cyber threat director at the Qualys Threat Research Unit, points out that adversaries are often organized and government-managed, whereas the U.S. approach relies on cooperative governance. This disparity leaves water systems highly vulnerable.

Potential Consequences of Cyber Attacks on Water Systems

Morgan Wright, chief security advisor at Sentinel One, paints a stark picture of the consequences:

  1. Disruption of Water Supply: Attacks during critical periods, such as summer in southern states, could result in widespread shortages and public panic.
  2. Health Hazards: Compromising wastewater systems could lead to pollution of local waterways, causing widespread sickness.
  3. Economic and Social Fallout: A disruption in water services could cripple communities, creating ripple effects across healthcare, agriculture, and industry.

Budget Constraints and Legacy System Challenges

Dale Fairbrother, security product evangelist at XM Cyber, emphasizes the ongoing budgetary challenges:

  • Despite increasing attention to industrial control system (ICS) and operational technology (OT) security, funding often falls short.
  • Legacy systems, which are integral to many water facilities, lack the advanced security measures required to address modern cyber threats.

Recommendations for Strengthening Cybersecurity in Water Systems

To mitigate these risks, a proactive and comprehensive approach is essential:

  1. Centralized Reporting Mechanisms: The EPA must establish a robust incident reporting system tailored to water and wastewater systems, enabling quick response to cyber threats.
  2. Increased Budget Allocation: Governments at all levels should prioritize funding for OT and ICS security solutions to address vulnerabilities in legacy systems.
  3. Cross-Sector Collaboration: Coordination between federal agencies like the EPA and CISA, as well as private entities, is vital for developing standardized security protocols.
  4. Continuous Risk Assessments: Regular cybersecurity audits and vulnerability assessments can help identify and address weak points before they are exploited.
  5. Public Awareness and Training: Educating water system operators and employees about cyber risks can reduce the likelihood of human error leading to breaches.

Conclusion

The cybersecurity vulnerabilities in U.S. drinking water systems represent a ticking time bomb. With millions of Americans relying on these systems for their daily needs, the potential for catastrophic consequences demands immediate action. Strengthening the cybersecurity of water systems is not just a technical challenge; it is a public safety imperative. The time to act is now. Proactive measures, adequate funding, and cross-sector collaboration can safeguard the nation’s water infrastructure and ensure a secure future for all.

Source: https://www.scworld.com/news/drinking-water-systems-for-26m-americans-face-high-cybersecurity-risks

REQUEST HELP
?
For time-sensitive issues, please call our main number.
Main: 970.372.4940
Quotes: quotes@techframework.com
Tech Support: help@TechFramework.com