Friday, February 19, 2021

Small water systems may have a hard time beefing up cybersecurity at a time their vulnerability has been revealed

The Feb. 5 hacking attempt on a small Florida water system shines a "highlights dire weaknesses in critical infrastructure and has federal policy-makers paying attention to industrial control systems, such as those also used by electric utilities, which are often managed by local municipalities," Mariam Baksh reports for Route Fifty.

The attack, which cybersecurity experts say was likely carried out by amateurs, was possible because of an outdated operating system, poor password security, and other weaknesses, Baksh reports. Federal authorities have issued recommendations to other water systems to stave off similar attacks, but such strategies may be difficult for rural utilities with little funding or personnel. 

Joseph A. Davis of the Society of Environmental Journalists provides an excellent explainer about public water systems in the U.S., including the security weaknesses many face, what funding is available to protect against cyberattacks, and story ideas and reporting sources.

The Bioterrorism Act of 2002 required water systems above a certain size to conduct vulnerability assessments and submit the results to the Environmental Protection Agency. Those assessments are exempt from the Freedom of Information Act and are meant to be kept secret, but loopholes can allow hackers (or journalists, for that matter) to learn more: "The same water systems were also required to draw up Emergency Response Plans for dealing with a terrorist attack," Davis reports. "In doing so, utilities were to coordinate with other agencies like police or hazmat units. The 2002 law did not require these to be disclosed, but did not explicitly forbid disclosure either. So a resourceful journalist could possibly get a look at the local plan."

Though Congress authorized and appropriated hundreds of millions of dollars in grants in the early 2000s to help local utilities beef up their security, few agencies and utilities seem to have improved their security much, Davis reports. Some funding was specifically earmarked for smaller water systems, according to a federal report. The report also says water systems may also find funding through Department of Homeland Security grants.

However, Davis notes that garden-variety water pollution is likely a greater threat to water systems ill-equipped to deal with it.

No comments: