By KIM BELLARD
Matthew Holt, publisher of The Health Care Blog, thinks I worry too much about too many things. He’s probably right. But here’s one worry I’d be remiss in not alerting people to: your water supply is not as safe – not nearly as safe – as you probably assume it is.
I’m not talking about the danger of lead pipes. I’m not even talking about the danger of microplastics in your water. I’ve warned about both of those before (and I’m still worried about them). No, I’m worried we’re not taking the danger of cyberattacks against our water systems seriously enough.
A week ago the EPA issued an enforcement alert about cybersecurity vulnerabilities and threats to community drinking water systems. This was a day after EPA head Michael Regan and National Security Advisor Jake Sullivan sent a letter to all U.S. governors warning them of “disabling cyberattacks” on water and wastewater systems and urging them to cooperate in safeguarding those infrastructures.
“Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” the letter warned. It specifically cited known state-sponsored attacks from Iran and China.
The enforcement alert elaborated:
Cyberattacks against CWSs are increasing in frequency and severity across the country. Based on actual incidents we know that a cyberattack on a vulnerable water system may allow an adversary to manipulate operational technology, which could cause significant adverse consequences for both the utility and drinking water consumers. Possible impacts include disrupting the treatment, distribution, and storage of water for the community, damaging pumps and valves, and altering the levels of chemicals to hazardous amounts.
Next Gov/FCW paints a grim picture of how vulnerable our water systems are:
Multiple nation-state adversaries have been able to breach water infrastructure around the country. China has been deploying its extensive and pervasive Volt Typhoon hacking collective, burrowing into vast critical infrastructure segments and positioning along compromised internet routing equipment to stage further attacks, national security officials have previously said.
In November, IRGC-backed cyber operatives broke into industrial water treatment controls and targeted programmable logic controllers made by Israeli firm Unitronics. Most recently, Russia-linked hackers were confirmed to have breached a slew of rural U.S. water systems, at times posing physical safety threats.
We shouldn’t be surprised by these attacks. We’ve come to learn that China, Iran, North Korea, and Russia have highly sophisticated cyber teams, but, when it comes to water systems, it turns out the attacks don’t have to be all that sophisticated. The EPA noted that over 70% of water systems it inspected did not fully comply with security standards, including such basic protections such as not allowing default passwords.
NextGov/FCW pointed out that last October the EPA was forced to rescind requirements that water agencies at least evaluate their cyber defenses, due to legal challenges from several (red) states and the American Water Works Association. Take that in. I’ll bet China, Iran, and others are evaluating them.
“In an ideal world … we would like everybody to have a baseline level of cybersecurity and be able to confirm that they have that,” Alan Roberson, executive director of the Association of State Drinking Water Administrators, told AP. “But that’s a long ways away.”
Tom Kellermann, SVP of Cyber Strategy at Contrast Security told Security Magazine: “The safety of the U.S. water supply is in jeopardy. Rogue nation states are frequently targetingthese critical infrastructures, and soon we will experience a life-threatening event.” That doesn’t sound like a long ways away.
Similarly, Professor Blair Feltmate, an expert in water systems at the University of Waterloo in Canada, told Newsweek: “The U.S. Southwest is on the edge of being out of water, due to a combination of climate-change driven extreme heat, growing drought and excess demand. Nonetheless, survival in the Southwest depends on this increasingly precarious water supply—as such, cyber bad guys will likely target this region using a ‘kick ’em while they are down’ logic.”
On the other hand, David Reckhow, Emeritus professor at UMass Amherst, also told Newsweek: “All community water systems are somewhat vulnerable to intentional contamination, but it’s unlikely that cyberattack would result in a serious compromise in water quality or public health. On the other hand, a cyberattack could result in financial difficulties.”
In the interim, the EPA plans to increase the number of planned inspections, but EPA spokesperson Jeffrey Landis admitted to CNN the agency is “not receiving additional resources to support this effort.” It has 88 credentialled inspectors; there are something like 50,000 community water systems. Those are not encouraging ratios. I’ll bet Iran’s IRGC and China’s Volt Typhoon have more than 88 hackers…each.
Part of the problem is that many water systems just haven’t seen cybersecurity as key to what they do. Amy Hardberger, a water expert at Texas Tech University, told CBS News: “Certainly, cybersecurity is part of that, but that’s never been their primary expertise. So, now you’re asking a water utility to develop this whole new sort of department.”
Yes, we are.
Frank Ury, president of the board of the Santa Margarita Water District in southern California, told The Wall Street Journal that he’s worried hackers might have penetrated systems and are lying dormant until a coordinated attack. Jake Margolis, Chief Information Security Officer of The Metropolitan Water District of Southern California, agrees, and warns: “Even if you’re doing everything right, it’s still not enough.” And we’re not even doing everything right.
It’s not as though water systems are all that robust generally. Drinking water infrastructure got a C- in the last ASCE Infrastructure Report Card, with the acknowledgement: “Unfortunately, the system is aging and underfunded.” It could have added: “and woefully unprepared for cyberattacks.”
So, we could have our water shut off, or made undrinkable through changes to how the water is processed. We’ve seen how corporations respond to ransom demands when, say, data is held hostage; what would we agree to in order to get safe water back? We worry about missiles carrying bombs or chemical weapons, so why aren’t we more worried about attacks to the safety of our water?
And, in case you were wondering, water infrastructure is not the only infrastructure vulnerable to cyberattacks; the electric grid and even dams have been targeted. But safe water is about as basic a need as there is.
Safe water was one of the greatest public health triumphs of the 20th century. Let’s hope we can keep it safe in the 21st century.
