Oct 20, 2021

How safe is your water from a cyberattack?

The Blue Plains Wastewater Treatment Plant in Washington, D.C. Kimberly Adams/Marketplace

Wastewater treatment plants have a history of outdated IT, making them more vulnerable to ransomware attacks.

Several government agencies, including the FBI, the EPA and the Cybersecurity and Infrastructure Security Agency (CISA) — the agencies making sure sewage and other biohazards stay out of your drinking water — put out an advisory last week highlighting cyber threats to local water and wastewater systems.

The warning cites several cyberattacks over the last few years. Like one in Oldsmar, Florida, where someone tried to hack in and dump extra chemicals in one municipal system. CISA is urging water and wastewater facilities to plan for, and get ready to block, these attacks.

Kim Zetter, a cybersecurity journalist and author, says there is a resource issue. The following is an edited transcript of our conversation.

Kim Zetter: The IT infrastructure around these systems is often quite outdated. In the case of the Oldsmar incident, they were using old Windows software. They were using a remote access tool to allow operators to gain remote access into the system. Water treatment facilities are small operations, in many cases run by small municipalities, and sometimes they don’t have their own IT staff, even. They don’t have a lot of budget. And in general, critical infrastructure systems are not updated as often as we update ordinary desktop IT systems.

Kimberly Adams: We know about what happened in Oldsmar. How widespread do you think these sorts of attacks actually are? Are there a bunch of them that we just never hear about?

Zetter: Many critical infrastructure facilities won’t report when an incident like this happens, so we’ll never hear about it, or they don’t have the mechanisms for even knowing if there’s been an intrusion. And so, in addition to sort of raising the security bar to prevent actors from getting in, they also need to be installing systems that can actually detect and tell them when someone is in their network. And that’s been a problem for a long time.

Adams: Is CISA providing any kind of resources or training for these community systems to help them up their game?

Ongoing cyber threats to water and wastewater systems facilities can impact critical services to communities. Read our joint advisory about this threat with mitigation recommendations from @CISAgov, @FBI, @EPA, & @NSACyber: https://t.co/RyFdcus8i1 pic.twitter.com/Oh6gSd6FTQ
— CISA Infrastructure Security (@CISAInfraSec) October 14, 2021

CISA’s official Twitter account tweets its wastewater treatment plant cybersecurity advisory on Oct. 14, 2021.

Zetter: Well, CISA is underfunded and under-resourced itself. And so it can provide lists of things that water treatment plants should do and advice. But, in terms of sort of one-on-one assistance, they don’t have the people that can actually go out. There are about 50,000 water treatment facilities around the country. So I don’t think that people should rely on CISA for one-on-one assistance, although CISA is certainly available for questions, and in some cases, they will actually help, they will actually send a team to fly out and do assessments. But there are a lot of security companies that are able to do this if a facility has the funding to bring someone in, but there are also nonprofits that will come in and do these kinds of assessments. So it’s really incumbent on the water treatment facilities to ask for help if they need it. And CISA can direct them to the nonprofits and other facilities that can help.

Adams: What’s being done to stay ready for what seems like the inevitable failure, when all of these procedures don’t protect a community?

Zetter: I think that one of the important things that CISA highlighted in its alert was that these safety mechanisms need to be physical devices that are separate from the software controls, so that if someone gets into a system, they can’t both affect the controls, and also undermine the safety mechanism that would alert operators when those controls have been changed. Unfortunately, we’ve seen over the last decade a trend toward the latter, where the safety system is in the same software component as the control system, so that a hacker that gets into the control system can also undermine that safety mechanism. And water treatment facilities really need to have the separate checks and balances in place and make sure that they work and make sure that hackers can’t get to those.

Adams: How much responsibility do these facilities have to notify the public when there are these types of attacks? We’re hearing from the Biden administration that say they want big companies to give them 24 hours notice when there has been a cyberattack, and some of these companies are pushing back against that. Where do things stand, right now, in terms of what these facilities are obligated to do?

Zetter: It really varies by industry, because some industries are already regulated by governments such as the electric grid, things like that. And so they already have certain requirements for baseline security, for reporting. But there are other critical infrastructure, like water, that don’t really fall under these kinds of regulations. The Biden administration is trying to force critical infrastructure to report incidents. But, like I said, if you don’t have monitoring capabilities in your network, you may never know about an incident in order to report it. So if the requirement is within 24 hours after you learn of an incident to report it, you may not learn of an incident until a year, two years afterwards. And so by then the damage is done. Or you may not learn about it at all. Really, the the bigger requirement here should be that they should have monitoring systems in place, they should have baseline security in place so that they actually even know when there has been an intrusion. The reporting comes afterwards, but first they need to actually know.

Adams: And is there any funding in the pipeline to help upgrade these systems, all over the country, that may be outdated or don’t have that capability?

Zetter: This is really going to be a responsibility of states to find this funding. I wouldn’t wait for the federal government to come up with money. Definitely I think states have been put on notice that if incidents happen in their jurisdictions, they’re going to be held to a higher level of responsibility going forward. What that will be, it’s still unclear. We saw with the railway directives that came out a couple of weeks ago from the TSA, requiring certain high-risk railways, basically they were telling them, that [the railways] should actually have a point person for cybersecurity. This is 2021. And if you’re telling high-risk railways in 2021, that they need, at the very least, to have a point person designated for cybersecurity. We’re 20 years behind. That should have been happening 20 years ago. I think that the federal government is limited by their own legislation, by what they are allowed to tell critical infrastructure to do, and so there are a lot of barriers that we have to get past before the federal government can really have a strong effect on this.

The future of this podcast starts with you.

Every day, the “Marketplace Tech” team demystifies the digital economy with stories that explore more than just Big Tech. We’re committed to covering topics that matter to you and the world around us, diving deep into how technology intersects with climate change, inequity, and disinformation.

As part of a nonprofit newsroom, we’re counting on listeners like you to keep this public service paywall-free and available to all.

Support “Marketplace Tech” in any amount today and become a partner in our mission.