September 7, 2024 at 08:44AM
Multiple cybersecurity incidents involving water systems in the US, attributed to China, Russia, and Iran, prompt concerns about the vulnerabilities in the water infrastructure. Legacy operational technology (OT) systems, remote cyberattacks, and lack of cybersecurity standards pose significant risks. Attempts to enforce minimum standards have faced legal challenges, leading to continued security gaps in this critical sector.
The key takeaways from the meeting notes are:
1. Three countries – China, Russia, and Iran – have been involved in cyberattacks on the US water systems, highlighting the vulnerability of the water sector to international threats.
2. Operational technology (OT) systems used in water infrastructure are particularly susceptible to cyber threats due to their outdated nature and constant 24/7 operation, making them hard to secure.
3. The reliance on legacy OT systems creates significant vulnerabilities, as seen in the Iranian hacktivist crew’s exploitation of Israeli-made programmable logic controllers (PLCs) using default passwords.
4. Efforts to establish minimum cybersecurity standards for water infrastructure have faced challenges, including pushback and lawsuits from states, which have resulted in the suspension of the rules.
5. The lack of a national water supply system leads to disparities in funding and expertise across different utilities, with smaller companies facing difficulties in implementing strong cybersecurity measures.
6. The potential consequences of cyberattacks on water systems extend beyond operational disruptions, posing risks to human health and the environment by compromising access to safe drinking water and wastewater management.
7. The EPA’s attempt to introduce minimum security standards for public water systems was hampered by legal challenges and resistance from some states, ultimately leading to the abandonment of the initiative.
8. The water and wastewater sector has been encouraged to implement technical solutions such as changing default and compromised passwords, securing remote access, and reducing the accessibility of vulnerable IoT devices to mitigate security risks.
These takeaways emphasize the urgent need for coordinated efforts to strengthen the cybersecurity of water infrastructure and address the vulnerabilities that could have far-reaching consequences for public health and safety.