Ethical Hacking News
A third of America's drinking water systems are failing to meet basic cybersecurity standards, leaving millions of people vulnerable to cyber threats. The Environmental Protection Agency has acknowledged the issues and promised to take action, but more needs to be done to protect the nation's critical infrastructure.
The United States Environmental Protection Agency (EPA) has found that nearly one-third of drinking water systems across the country are vulnerable to cyber threats. Approximately 82.7 million people, or about 26.6 million unreported individuals, could be affected by a cyber attack on these systems. The EPA lacks its own cybersecurity incident reporting system and relies on the Department of Homeland Security for notification. Aging infrastructure and the integration of modern IT systems into legacy systems create vulnerabilities that can be exploited by cybercriminals. The lack of basic cybersecurity measures in drinking water systems is a critical issue with significant implications for national security.
The United States Environmental Protection Agency (EPA) has recently released a report highlighting a concerning issue regarding the cybersecurity measures in place for drinking water systems across the country. The study, conducted by the EPA's Office of Inspector General, found that nearly one-third of the nation's drinking water systems are vulnerable to cyber threats due to inadequate security measures.
According to the report, 308 out of 1,062 drinking water systems tested were lacking in terms of cybersecurity vulnerabilities. This includes systems with medium or low risk vulnerabilities, as well as those with critical or high-risk issues that went unreported. The affected systems serve approximately 82.7 million people, while the unreported critical and high-risk systems serve about 26.6 million people.
The lack of basic cybersecurity measures in drinking water systems is a concerning issue, particularly given the potential consequences of a cyber attack on such critical infrastructure. As Seefeldt, Assistant Inspector General for Strategic Analysis and Results at the EPA, noted, "We don't want to discuss any particular vulnerabilities... But as we mention in the report, the vulnerabilities, if exploited, could affect the physical infrastructure or operating systems of those drinking water systems."
Furthermore, the report also revealed that the EPA lacks its own cybersecurity incident reporting system. Instead, it relies on the Department of Homeland Security to notify it of incidents affecting drinking water systems. However, even this system has limitations, as the report noted that the EPA was unable to find documented policies and procedures related to coordination with other federal and state authorities.
The lack of basic cybersecurity measures in drinking water systems is not an isolated issue, but rather a symptom of a broader problem. The aging infrastructure of many water systems, combined with the increasing integration of modern IT systems into legacy infrastructure, creates a vulnerability that can be exploited by cybercriminals.
As NCC Group's head of industrial, Sean Arrowsmith, pointed out, "It may be the case that water is seen as a sector that will have vulnerabilities with legacy outdated infrastructure being converged with IT systems, and therefore suddenly exposed to internet-borne threats." This issue has significant implications for national security, particularly given the potential for a cyber attack on a drinking water system to cause widespread harm.
The EPA has acknowledged the issues raised by the report and has promised to take action. The agency has stated that it regularly receives cyber incident information from CISA and the FBI, but has also recognized the need for a more robust cybersecurity program to protect public health.
In the UK, Thames Water, the country's largest water and wastewater treatment company, is facing similar challenges in maintaining the security of its systems. Some of the company's systems are so outdated that they have been repurposed to maintain operations, while others continue to suffer from a tech deficit.
The consequences of neglecting cybersecurity measures in drinking water systems can be devastating, as Flexxon CEO and co-founder Camellia Chan noted, "Ancient operations like this are a goldmine for cybercriminals... The consequences if these are infiltrated can be devastating and put real people at risk."
In light of the report's findings and the growing concern surrounding cybersecurity in drinking water systems, it is imperative that the EPA and other regulatory agencies take immediate action to address this issue. This includes establishing a robust cybersecurity program, providing technical assistance and guidance to affected systems, and ensuring that policymakers recognize the importance of securing critical infrastructure.
The consequences of inaction will be dire. As Arrowsmith warned, "The potential disruption is also attractive, particularly at a nation-state level because compromise of a water facility is headline news and could ultimately cause a threat to safety." The time for action is now, and the EPA must take bold steps to address this critical issue.
Related Information:
https://go.theregister.com/feed/www.theregister.com/2024/11/19/us_drinking_water_systems_cybersecurity/
Published: Tue Nov 19 15:44:00 2024 by llama3.2 3B Q4_K_M
