US Warns Rising Cyberattacks Against Water Supplies
Critical infrastructure. Utility firms in the US are being urged to do more to protect water supplies amid rising cyberattacks
The United States has again warned its utility providers to improve their cyberdefences, amid concern over protecting critical infrastructure.
On Monday, the Environmental Protection Agency (EPA) announced that it has issued an enforcement alert, and has warned that cyberattacks against water utilities across the country are becoming more frequent and more severe.
This comes a couple of months after the US National Security Advisor Jake Sullivan and EPA Administrator Michael Regan had in March wrote to US state governors to warn them that foreign hackers were carrying out disruptive cyberattacks against water and sewage systems throughout the country.
Enforcement alert
Now the US EPA’s enforcement alert outlines the urgent cybersecurity threats and vulnerabilities to community drinking water systems in America, and the steps needed to comply with the Safe Drinking Water Act.
The EPA said it is issuing this alert because “threats to, and attacks on, the nation’s water system have increased in frequency and severity to a point where additional action is critical.”
“Protecting our nation’s drinking water is a cornerstone of EPA’s mission, and we are committed to using every tool, including our enforcement authorities, to ensure that our nation’s drinking water is protected from cyberattacks,” said EPA Deputy Administrator Janet McCabe.
“EPA’s new enforcement alert is the latest step that the Biden-Harris Administration is taking to ensure communities understand the urgency and severity of cyberattacks and water systems are ready to address these serious threats to our nation’s public health,” said McCabe.
Recent EPA inspections have revealed that the majority of water systems inspected – over 70 percent – do not fully comply with requirements in the Safe Drinking Water Act and that some of those systems have critical cybersecurity vulnerabilities, such as default passwords that have not been updated and single logins that can easily be compromised.
The EPA, along with CISA, and the FBI strongly recommend system operators take steps outlined in following “Top Actions for Securing Water Systems”:
- Reduce exposure to public-facing internet.
- Conduct regular cybersecurity assessments.
- Change default passwords immediately.
- Conduct an inventory of OT/IT assets.
- Develop and exercise cybersecurity incident response and recovery plans.
- Backup OT/IT systems.
- Reduce exposure to vulnerabilities.
- Conduct cybersecurity awareness training.
Water attacks
Cyberattacks against water treatment plants have been ongoing for a while now.
In 2016 for example a report from Verizon found at least one example where hackers were able to access the computer systems of a water treatment plant and affect the treating process, exposing people to potential health risks by drinking polluted water.
Officials at the unnamed water utility were able to able to identify and reverse the chemical and flow changes in time.
In February 2021 an even more dangerous cyberattack on a water utility came to light, when officials of the US city of Oldsmar in Florida revealed that a hacker had gained access to the water system of the city and had tried to pump in a “dangerous” amount of a chemical.
The hacker had gained access to an internal ICS platform and briefly increased the amount of sodium hydroxide (lye) in Oldsmar’s water treatment system.
Sodium hydroxide is highly corrosive and is often used in drain cleaners. It can cause irritation to the skin and eyes, along with temporary loss of hair. However swallowing it can cause damage to the mouth, throat and stomach, and trigger vomiting, nausea and diarrhoea.
Thankfully for all concerned, a worker spotted the attack and reversed the action, but the consequences of the attack could have been very serious.
And earlier this year, a Russian-linked “hacktivist” reportedly tried to disrupt operations at several Texas utilities.
UK utilities
And British utilities should also be concerned about their cyber defences.
In August 2022 the Clop ransomware gang had claimed on the dark web that they had accessed the SCADA systems (which control industrial processes at treatment plants) of Thames Water.
Thames Water is the UK’s largest water supplier and wastewater treatment provider, serving Greater London and areas surrounding river Thames (roughly 15 million customers).
But the Clop hackers were mistaken, and they had actually compromised the SCADA systems belonging to a water supplier in the Midlands, namely South Staffordshire Water, which supplies water to 1.6 million customers.
South Staffordshire Water confirmed it was the one that had been breached, when it issued a statement on its website.