At least half of municipal water systems in the United States are facing either critical or high risks of cyber attacks, NBC News reports. These systems have been vulnerable since at least 2017, leaving years for hackers to practice exploiting them. In a June 17 report, NBC alleged that there are “50,000 security disasters waiting to happen.” The report describes a January 15 incident where a hacker tried to poison the water supply to parts of San Francisco, California that was thwarted and a Oldsmar, Florida incident where a hacker gained access to a TeamViewer account and raised the levels of lye in the drinking water to poisonous levels. An employee quickly caught the computer’s mouse moving on its own, and undid the hacker’s changes. According to NBC, rural areas are particularly threatened because their water systems do not have dedicated cybersecurity staff.
Practical Cybersecurity Maintenance Tips for Water Suppliers.
Industry leader Water Online has an extensive list of “resiliency resources” that includes tool kits and other resources to help water providers tighten their cybersecurity and improve other water management technologies. Its column, Cybersecurity Hygiene Is Effective Preventive Maintenance, offers a list of things that can easily be done to prevent cyber threats. From data backup to updating software, the column gives bullet-style lists of exactly what should be done.
Federal Resources and Nationwide Challenges.
The Cybersecurity & Infrastructure Security Agency (CISA) has an online directory of resources and tool kits and the Environmental Protection Agency offers a list of products and services available to support water sector resilience.
Politico’s Eric Geller warns that President Biden’s infrastructure plan needs to address cybersecurity. “Biden’s plan includes $211 billion for upgrading the United States’ power and water infrastructure. These systems’ paramount importance to daily life also makes them top targets for hackers and top priorities for security funding,” Geller writes.
About a month after Politico’s article was published, an executive order was issued by the administration that establishes several timelines for enhancing the nation’s cybersecurity. Among other things, the order removes threat information sharing barriers between the federal government and private sector and establishes a Cyber Safety Review Board that includes the private sector.
While the executive order may be a step toward better security, a survey conducted in April and published in June 2021 by the Water Information Sharing and Analysis Center and the Water Sector Coordinating Council paints a bleak picture of where things currently stand. Summarizing the survey, GCN reports that many utilities “do not have access to a cybersecurity workforce. Operating in the background is that these utilities are struggling to maintain and replace infrastructure, maintain revenues while addressing issues of affordability, and comply with safe and clean water regulations.” In short, water utilities need funding to address cyber concerns.