Does Putin have the better hackers? (Part 3) The water supply problem8. March 2022
Does Putin have the better hackers? (Part 3)
The water supply problem
White House and EPA release 100 – day plan to address cyber threats and secure water supply
In particular, the increasingly sophisticated attacks on water utilities in the U.S. over the past year by predominantly Russian cyber warriors , have forced the U.S. government to act. It would be fatal if millions of citizens between Washington and San Francisco had to die of thirst. Against this background, the White House , the Environmental Protection Agency (EPA) and the Cybersecurity and Infrastructure Security Agency (CISA) have unveiled a 100-day plan to strengthen the protection of the country’s water supply systems.
The action plan, “Industrial Control Systems Cybersecurity Initiative — Water and Wastewater Sector Action Plan,” includes several actions the agencies believe can be taken in the coming months to address gaps in cybersecurity in the water supply industry.
The plan calls for the following actions:
– Establish a task force of water utility industry leaders.
– Launching pilot programs to monitor attacks
– Improve information sharing; and
– Providing technical assistance to water systems in need of help.
Against this backdrop, EPA Administrator Michael Regan stressed that cyberattacks pose an “increasing threat to community water systems.” Because attackers are becoming more sophisticated, he said, a coordinated and more modern approach must be created to ensure America’s citizens continue to have access to clean water. EPA will work closely with its federal partners and use its authority to ensure the water sector is optimally protected from cyber incidents, he said.
There are currently about 150,000 water utilities in the United States. The problem: there are thousands of (incompatible) systems involved, because in addition to major metropolitan areas, numerous small towns and villages would have to be served. What’s more, cybersecurity expertise is often almost non-existent.
Near real-time warnings
The White House said the plan would provide owners and operators with technology that would enable ” near real-time alerts.” That is why EPA and CISA would work with appropriate private sector partners. However, he said, the government would not select a particular technology or vendor. Implementation of the plan would initially focus on utilities serving the largest populations, he said.
The White House has listed the following attacks on water utilities since 2019:
– August 2021, in which the Ghost ransomware was used against a facility in California. Attackers spent a month in the system before releasing a ransomware message on three monitoring and data collection servers.
– In a July 2021 attack, the ZuCaNo ransomware was used to damage a wastewater facility in Maine.
– In March 2021, a water treatment plant in Nevada was attacked by an unknown ransomware variant.
– In September 2020, the Makop ransomware hit a facility in New Jersey,
– in March 2019, it attempted to threaten the drinking water of a town in Kansas.
– Headlines were made by an attack in February 2021 in which a hacker gained access to the computer systems of a water treatment plant in the city of Oldsmar, Florida, and altered chemical levels to dangerous parameters.
The White House pointed out in its statement that the recent attacks on Colonial Pipeline and food processor JBS are important reminders that the federal government has limited authority to set cybersecurity baselines for critical infrastructure. Municipal owners, he said, therefore rely on a partnership with the private sector to minimize risk.
Anne Neuberger, deputy national security advisor for cyber and emerging technologies, said action plans created for electric grids and pipeline operators have already resulted in more than 150 electric utilities serving more than 90 million residential customers and several critical natural gas pipelines deploying additional cybersecurity technologies.”
Detection technology not foolproof
In addition, Anne Neuberger emphasized, “The Water Supply Plan will build on this work and is another example of our focus and determination to use all the tools at our disposal to modernize the nation’s cyber defenses in partnership with private sector critical infrastructure owners and operators,” Neuberger said.
As might be expected, sharp criticism has come primarily from expert circles.
Reactions to the 100-day plan among ICS cybersecurity experts have been mixed. In the computer magazine “ZDNet,” Mark Carrigan, cyber vice president for process security and OT cybersecurity at Hexagon PPM, is quoted as cautiously stating that the measures outlined “won’t come close to reducing the risk to an acceptable level.”
First weakness: The detection technology currently in use is not “foolproof.” By this, Carringten means , many infiltrations and subsequent attacks begin by exploiting zero-day vulnerabilities, but are only detected after the fact. “It’s like closing the barn door after the cows have gone out. It’s time for critical infrastructures to invest more in improving operational resilience so we can respond to an attack, minimize the impact and restore operations within an acceptable timeframe,” Carrigan said.
“We must accept the fact that we cannot prevent all cyberattacks because of the nature of the control systems that provide critical services. We need to improve our response and recovery capabilities.”