Public Water Systems at Cybersecurity Risk, Lawmakers HearMunicipal Water Systems Installing Networked Control Systems
Municipal water systems have little choice but to use networked control systems despite creeping cybersecurity risks, members of the House Homeland Security Committee heard today.
See Also: The Cost of OT Cybersecurity Incidents and How to Reduce Risk
Worries that hackers could tamper with drinking water gained newfound urgency after city officials in Oldsmar, Florida last year stopped an attacker from mixing dangerous levels of lye into municipal pipes.
"We're no longer dealing with cyber hackers; we're dealing with national sponsorship," said former Federal Emergency Management Agency Director Craig Fugate during a hearing of the House Homeland Security Committee on the emergency preparedness of American water systems (see: Hacker Breached Florida City's Water Treatment System).
The Environmental Protection Agency last month told Congress that most public water systems need technical support to improve their cybersecurity posture. The smaller the system, the more likely it is to be vulnerable, said the agency, which regulates water systems.
Cutting off municipal water systems from the internet isn't an option, said John O'Connell, a senior vice president with the National Rural Water Association. "We don't have repair people like we used to, so they're going to have to rely on internet service to do in-house repairs," he said, referring to human-machine interfaces that connect operators to water control systems.
New equipment in any case includes remote access functions, meaning utilities must adapt, he told the committee. Earlier this year, a man formerly employed by a rural Kansas water district serving about 10,000 people pleaded guilty to tampering after he used still-active credentials for a remote desktop application to shut down the facility.
The federal government is signaling increased interest in how state and local critical infrastructure account for risk - digital and otherwise, and that attention pressures the already-thin budgets of utilities, said David Gadis, CEO and general manager of the District of Columbia water and sewer authority.
"The costs are outrageous for utility to continue down the path that we're continuing down today to keep the utility safe," he said.
The EPA says starting this coming year it intends to offer technical support to water utilities, particularly those serving 3,300 or fewer people, by offering a checklist of best practices coupled with training. The agency also plans to have experts available to lend assistance with vulnerabilities identified by a cybersecurity assessment program.