Biden Administration Announces Plan To Stop Water Plant Hacks (reuters.com) 35
The Biden administration announced on Friday a new plan to improve the digital defenses of public water systems. From a report: The move comes one day after the announcement of a national cybersecurity strategy by the White House, which seeks to broadly improve industry accountability over the cybersecurity of American critical infrastructure, such as hospitals and dams. The water system plan, which recommends a series of novel rules placing more responsibility for securing water facilities at the state-level, follows several high-profile hacking incidents in recent years.
In February 2021, a cyberattack on a water treatment plant in Florida briefly increased lye levels in the water, an incident that could have been deadly if an alert worker had not detected the hack quickly. And in March 2019, a terminated employee at a Kansas-based water facility used his old computer credentials to remotely take systems offline, according to an administration official. The government is acting now because of the urgency of the threat, according to a senior U.S. Environmental Protection Agency (EPA) official. Radhika Fox, the assistant administrator in the EPA's Office of Water, said hackers had "shut down critical treatment processes" and "locked control system networks behind ransomware," underscoring the current danger. However, some experts say the new plan will not do enough to help make systems more secure.
In February 2021, a cyberattack on a water treatment plant in Florida briefly increased lye levels in the water, an incident that could have been deadly if an alert worker had not detected the hack quickly. And in March 2019, a terminated employee at a Kansas-based water facility used his old computer credentials to remotely take systems offline, according to an administration official. The government is acting now because of the urgency of the threat, according to a senior U.S. Environmental Protection Agency (EPA) official. Radhika Fox, the assistant administrator in the EPA's Office of Water, said hackers had "shut down critical treatment processes" and "locked control system networks behind ransomware," underscoring the current danger. However, some experts say the new plan will not do enough to help make systems more secure.
Common sense option 1. (Score:5, Insightful)
No internet access for water plants...isolate them and all functions from external access.
Now...is that so hard?
Do remember, we had running water and safe, city water treatment for decades before we had any computer control whatsoever, much less networked computers.
windows embedded 2024 needs online DRM so no! (Score:2)
windows embedded 2024 needs online DRM so no!
Re:Common sense option 1. (Score:4, Insightful)
How about disconnect all water systems from external network??
No internet access for water plants...isolate them and all functions from external access.
Now...is that so hard?
Yes. It is.
Do remember, we had running water and safe, city water treatment for decades before we had any computer control whatsoever, much less networked computers.
We also had vastly fewer people and manufacturing.
However, if we pass a very simple law, it would be easy. No default passwords allowed. When device is being connected, obviously needs configuring. Simply require a non-default password instead of admin:admin. Will not work without a password. Most pen tests for SCADA seem to focus on default passwords, while many are not default (Dominion Pipe hack was an internal leak), some are.
Water systems are no longer monolithic in most cities. They consist of many areas running as smaller plants to supply one particular area, with their own wells, own reserves, and own needs. Being unable to automate remotely would cause a price increase on the close order of 8 times in labor costs alone in those situations. Monolithic systems would likely only see a rise of 300 or 400 percent.
Re: (Score:2)
You cannot expect all connected devices to be scrapped, and any pre-existing device will be grandfathered so the law does not apply.
Re: (Score:2)
No default password will take over 20 years to be implemented..
So we'd better start now!
Cyber-war defenses? (Score:1)
FP branch disappoints and the story seems to have little potential for Funny, so...
I'll repeat the request for a lead to a good book on the topic. The best fundamental treatment I've read remains Richard Clarke's old classic, where he basically concluded that there are lots of aggressive actors with strong offensive capabilities, but relatively few actors with strong defenses. Vulnerability was all over the place, but America was high on the vulnerable list.
No internet does not mean no automation (Score:2)
>We also had vastly fewer people and manufacturing.
Uh, this was before we offshored, or well at the start of offshoring, we had more manufacturing in the 1970s and 80s.
Yes we have more people, but whether an electric motor controlling a valve is engaged by a button in the water plant or remotely over the Internet is not dependent on the population.
Most pen tests for SCADA seem to focus on default passwords ...
While no default passwords and other basic security concepts are all fine and good and we should do them, but those pen tests fail when the plant has no connection to an external network.
And if you want to g
Re: (Score:2)
No default passwords allowed.
That may seem like the solution, but keep in mind even a burglar who is an accomplished lock picker will still try jiggling the knob first. Modern software is prone to all manner of exploits, and then you've also got the possibility of access gained through old fashioned social engineering.
If you don't want someone to access it, air gap it from the internet. That's the only correct answer.
How much does labor cost influence water bills? (Score:2)
The cost of de-automating may be quite sustainable.
Re: (Score:2)
How about disconnect all water systems from external network??
This movie [imdb.com] should be required watching for anyone who thinks it's a good idea to connect critical infrastructure to the internet. Also, with the added context that in 1995 when the movie was released, most things still weren't connected to the internet, making the plot as depicted rather implausible at the time.
Seen it, it really existed ... (Score:2)
Do remember, we had running water and safe, city water treatment for decades before we had any computer control whatsoever, much less networked computers.
I can vouch for that. I got to spend a day at the local water plant and learn about its operations on one of those take a kid to work days. A human being actually had to be on site to press a button to engage an electric motor, or manually turn a wheel on valve. It was like playing Half-life.
Common sense answer. (Score:4, Informative)
Come back when you have some real practical knowledge of how SCADA and Distributed Control Systems actually work.
Most Operational Technology networks (that connect physical plant equipment) are indeed separated from Informational Technology networks (that are used for the business side), with no direct external access. Unfortunately, plants don't work very well when completely isolated. Information usually needs to travel from one side to the other. For example, it's difficult to bill customers when you don't know how much water they consumed, or direct a maintenance crew to a downed power line when you don't know where it is. You certainly wouldn't want to put your accountants or service department on the OT networks - they can only get that information via the IT networks.
A challenge is that many OT networks are massive and contain relatively old equipment. It can take years to design and roll out a major upgrade. It's not something done lightly because no-one wants to hear that their power is going to be out for several weeks as a result of a failed upgrade that Bob decided to roll out to 70 substations on a whim. Everything is heavily tested before upgrade, and that itself requires secondary test OT networks containing the same equipment. Time and money. I am sure that it will come as no shock to hear that most Human Machine Interfaces run on some version of Windows. Those HMIs are within the OT. How do you get tested upgrades to them without an external connection? I trust that you don't want to leave bugs with a high CVSS score sitting out there for years...
My background contains 17 years of cybersecurity experience, over 20 years of software QA and release engineering, and over a decade of that in an industrial capacity related to water and power. I know a little about these challenges.
The irony in your .sig is absolutely beautiful.
Water Plant Hacks (Score:4, Funny)
Re: Water Plant Hacks (Score:4, Funny)
YES. Obligatory https://www.departments.buckne... [bucknell.edu]
Re: (Score:1)
I spoke too soon. Mod parent Funny.
We couldn't possibly disconnect the internet! (Score:1)
Too useless, too late (Score:1)
Here are some soft targets that can be easily compromised -- and remotely -- by unknown threat actors.
1. Ports. Airports (drive a rental truck through a chain link fence, or hop on a wheelwell and fly somewhere bypassing "security theater" entirely). Old news. Seaports - even less protection. Book any offshore excursion (whale watching, diving, etc.) and bring your own weapon and enjjoy. Bus stations even less protection.
2. Assemblies of people. Stadiums, arenas, tracks, etc. Security theater inclu
Re: (Score:2)
2. Assemblies of people. Stadiums, arenas, tracks, etc. Security theater includes see-through bags but no personal pats, pocket searches, X-rays or metal detectors, so bring your firearms but don't bring a Pez dispenser.
This is America. We like our football to have danger in it.
Re: (Score:2)
Firs rule (Score:3)
First rule of security is *not to talk about it*. If you want to improve water plant security - just do it. Don't tell anyone what you are going to do (not even that you are actually doing anything). Why help those guys?
Re: (Score:2)
Re: (Score:2)
Not talking about what you are going to do is not the same as obscurity. You can implement appropriate safeguards, safe algorithms and the like. But there is still absolutely no reason to disclose that.
Re: (Score:2)
"We will turn off internet access on this day..."
Bad actors now have an elevated timeline.
A Novel Idea...OFFLINE. (Score:2)
Ah, so we're looking for "novel rules" now? Here, let me start.
Novel Rule #1: Don't put your critical infrastructure online.
Novel Rule #2: Understand why you do not put your critical infrastructure online.
Novel Rule #3: Fire any moron who still doesn't get it.
Re: (Score:2)
Just for instance, power substations have been remotely automated since just about forever, first on dial up 110 baud modems, then up to 1200 baud, then 56K frame relay, now simply a convenient internet. While we could absolutely go back to offline and in person manned stations for every critical infrastructure situation, it will come at the price of scores of high priced, at least moderately trained employees. A cost that *will* be passed along.
Or, in the alternative, we simply tell people making these dev
This one simple trick the water company doesn't... (Score:2)
Lye lie (Score:3)
No, Pinellas county did not for a moment get more "lye" (sodium hydroxide) in their water.
The hacker issued an order from the central computer. This went to a tiny computer running the sodium hydroxide doser, which has its own program to never allow more than the legal amount past it. And the operator didn't notice by accident, he was doing his job, watching the system. Watched the order to increase come in, a nutty one the doser would refuse, and he countermanded it on the spot.
If the sodium hydroxide computer had ALSO been compromised - which would have involved changing out a ROM - then it would have opened to the max. Which also would not have been dangerous, since the sodium-hydroxide feed line is sized so that it isn't bigger than it would need to be on the most-water-consuming day of 10 years, which is to say, it might have been double what was needed at the time (February, few people watering), but still not remotely dangerous to people.
Your water-treatment plant is just NOT capable of poisoning you with treatment chemicals. Period. Not *physically* capable, if we tried our hardest.
And, yes, we use air-gaps. People get around them to watch YouTube or porn, we discipline or fire them when caught.
Also, there's a "window" in every control system, these days: maintenance tends to hook them up to the main corporate network during maintenance, to bring in new software. At that time, programs or even live observers that have made it into the corporate business network can jump at the chance to sneak into a control network. It's a very known issue, and the battle continues.
Some more resources for it are badly needed by smaller utilities, so federal help is very welcome. But, the big utilities are mostly fairly confident of their efforts.
Re: (Score:1, Troll)
Re: (Score:2)
Your water-treatment plant is just NOT capable of poisoning you with treatment chemicals. Period. Not *physically* capable, if we tried our hardest.
Camelford would beg to differ. I hope that lessons were learned and that it would now be physically impossible to screw up that way again.
Having watched Deviant Ollam get into a treatment plant with nothing more than a piece of bent metal, it's the meatspace vulnerabilities that concern me more than the remote hack - especially given the efforts you describe to
Before the internet that hazard did not exist. (Score:2)
Not everything needs to be online or even computerized. The fetish to inflict computers on every process is naive and stupid.
The actual memo (Score:2)
"... EPA clarifies with this memorandum that states must evaluate the cyber security of operational technology used by a PWS when conducting PWS sanitary surveys or through other state programs. "
So basically they are saying that water safety inspections must now include cyber security as part of the evaluation. If your cyber security sucks, your water should not be considered safe.
What this is missing is that utility districts like the somewhat famous Oldsmar, Flo
Step 1. (Score:1)
Step 1: ban Windows.