EPA Says It Will Step Up Enforcement To Address 'Critical' Vulnerabilities Within Water Sector (therecord.media) 64
The U.S. Environmental Protection Agency on Monday urged water utilities to take action to improve their digital defenses, following a spate of recent cyberattacks. From a report: The agency's "enforcement alert" said that recent inspections of water systems found that more than 70 percent fail to meet basic cybersecurity standards, including some with "critical" vulnerabilities, such as relying on default passwords that haven't been updated and single logins that "can easily be compromised." The notice comes after a Russian hacktivist group claimed credit for digital assaults on water sites in Texas and Indiana. Late last year, Iran-linked Cyber Av3ngers group took responsibility for striking a water authority in Pennsylvania.
Re: (Score:2)
I want some of what you're smoking!
Re: (Score:2)
Not smoking anything. I have just been brain damaged from drinking the tap water in Flint Michigan for too many years. https://en.wikipedia.org/wiki/... [wikipedia.org]
Honestly at this point the US government's own departments managing water health could be considered quite a significant risk.
Open source (Score:2)
I'm curious what would be the downsides of open sourcing this stuff to verified U.S. citizens that pass security checks - 70% is insane. I would gladly contribute.
Re: (Score:3)
I assume the issue here is not some master program but dozens if not hundreds of various automation components from different manufacturers, all with their own firmware and code that the water service integrates together to control all their pumps and machines and around here we know industrial controls often are outdated, often not patched and never really intended to be put on the internet in any form but it happens anyway.
While that's a good goal to have all that stuff open source it's an uphill battle.
Re:Open source (Score:4, Interesting)
It's all very basic and common SCADA stuff and that's the danger. Protocols designed in the 1970's didn't have any security whatsoever. All plain-text with little to no encryption anywhere. Then you'll see the primary SCADA controller at a remote site connected to the clear web for remote access. Putting trained humans at every pump station, etc, 24/7 instead of one at a central location would be astronomical costs for small municipalities.
I've seen many, many SCADA controllers just plugged directly into a cable modem without even a router between them much less a firewall. I'm talking cable modem to WinXP box. Within the last year! Just installing routers that can IPSEC tunnel between them would break budgets everywhere.
Re: (Score:2)
Thank you, I knew there was a term for all this stuff, I just did not remember SCADA but you hit it on the head, some of this stuff is just plain ancient and combined with pretty lax practices, a lot of "ain't broke don't fix it".
Just installing routers that can IPSEC tunnel between them would break budgets everywhere.
Yeah I imagine this is the real issue and most of these places probably don't have a dedicated IT staff to make sure this all would actually operate.
Re: (Score:2)
I don't know who is down-voting this person, but they clearly have some knowledge about this subject.
Re: (Score:2)
They aren't being downvoted for these comments. They just have abysmal karma from numerous obnoxious comments over the years and hence start at -1 score.
Re: (Score:2)
So why is that stuff on a publicly accessible network?
Re: (Score:2)
So why is that stuff on a publicly accessible network?
Because that's about all that is left. Paging networks are going the way of the dodo. Dedicated leased lines are expensive (and still require specialized IT/comms expertise). RF links even more so. Plus the telecoms are doing everything in their power to kick everyone off dedicated public service bandwidth and bring them into the dark side of 5G IoT.
You want your maintenance plumber to get a call in the middle of the night when a pump failed and water pressure is heading towards zero. How else are you goin
Re: (Score:2)
It's very different sending a message to a plumber, and having control of the system be on the net. Only one is a reasonable use of the public network.
Re: (Score:2)
But the packaged water treatment automation systems come with all of these capabilities. Sure, you could hire an experienced IT person to set up users, roles, permissions. But these people cost money. Particularly if its a specialized application without a broad market. It becomes like all the NT systems that many companies buy. "The hell with it. Just make everyone an admin."
Sure, you could market a system with "read-only" functions. But that would be even more of a niche product.
Re: Open source (Score:1)
It wouldnâ(TM)t break a budget since you can do it for less than $200 with common hardware and Linux. The problem is people are lazy, government is wasteful and that makes things much more expensive than they need to be. Give them a fixed budget and make them compete while putting out liabilities like they do in commerce and things would get fixed really fast.
Re: (Score:2)
How is the municipal water supply supposed to compete? This is not Federal but a bunch of local towns and cities, there's a herding cats aspect.
Re: (Score:1, Interesting)
It's all SCADA nothing is really closed-source. The controller systems aren't really the problem, it's the connections between sites that are wide open with no security. It's mainly network-level security and the lack of budget and staff that's the problem. Many local gov'ts I'm familiar with would need more network engineers to secure and maintain it than the entire staff of the water/sewer depts. The physical environments this eqpt operates in is challenging too (to put it mildly). Spend 30 minutes a
Re: (Score:2)
The source isn't the problem. The problem is having this stuff connected to the internet and poor passwords.
Re:Open source (Score:4, Interesting)
Passwords are a real issue, and there's no cause for it other than technological ignorance on the part of older staff and laziness among the younger. While I worked in the field doing physical security (key cards, cameras, alarms, that stuff) I introduced literally dozens of our customers to Keepass for password management, and many of them standardized on it once they discovered how easily I could access their equipment as they had configured it. For many it was the first and only piece of freeware that their IT department allowed. Installed on a secure network share and regularly backed up it provided an easy and secure method for maintaining complex passwords and non-standard usernames, and for working at remote sites it could be copied onto a USB stick.
This habit also turned out to be a selling point for our services as compared to our competitors. For example I could access the admin-level account of any Niscaya (a large international security installer) or Securitas installation in the country, having found and recorded their standard password. We on the other hand created user accounts and custom passwords for every customer, and saved them in Keepass for use by our staff. Our customers' IT staff were often appalled by what we were showing them, that their security system was their largest security hole. Unfortunately Aronson Security has been bought out by ADT and their staff now has to work with the same shitty standards as the rest of that really shitty company.
Re: (Score:2)
I'm sorry, but what? You think that utility bills would triple/quadruple just because companies make their employees start using complex passwords that they can store in an easy to use (and possibly free) program? I'm not clear on how you think that would come about, care to clarify?
Re: (Score:2)
If you're restricting it to people with security clearances, that isn't open source by any definition. That's just increasing the number of people under NDA. You aren't going to get contributions from the "open source community" if the prospective contributors don't stand to benefit from contributing.
Re: (Score:3)
Ok, semi-open source. I would contribute because I would personally benefit from having my water supply being secured.
Is this the EPA's responsibility? (Score:4, Interesting)
The federal government needs to be on top of this, but the EPA? Critical infrastructure security should be in CISA's wheelhouse.
And the NSA should be doing critical infrastructure testing 24/7.
Re:Is this the EPA's responsibility? (Score:5, Insightful)
In the article is says CISA wrote up guidelines for the water industry but I imagine the enforcement process flows through the EPA, they are likely the agency has the mandate to go tell these services "here is the guide you need to follow".
CISA, FBI and EPA Release Incident Response Guide for Water and Wastewater Systems Sector [cisa.gov]
Re: (Score:2)
Re: (Score:2)
I mean wouldn't anyone able to make arrests are effectively officers of the law, therefore carry gun? Seems to track, it says right there, "criminal enforcement"
SCADA (Score:2)
Who the hell is putting SCADA on the internet? They need to be fired.
Re: (Score:2)
Boss: Hey I'm tired of coming into the office just give me remote access and don't set any complicated passwords
Re: (Score:3)
Bingo. When I was doing physical security (key cards, cameras, alarms, etc.) in the field my biggest headache was always the boss who wanted stuff installed outside the corporate firewall so that he could access it without having to remember how to use the VPN. Fortunately my bosses always backed me up when I refused.
Automotive (Score:4, Interesting)
There was a push for this in the automotive sector a couple of decades ago, so they made their own internet.
https://en.wikipedia.org/wiki/... [wikipedia.org]
It's secured with static certificates and end-to-end encryption over private leased lines. It's slow as dirt, but only carries small files, like shipping orders, production information and serial number rosters.
If you *have* to do it, that's how you do it.
Simple Question (Score:2)
If a water company hires an IT employee, they only take people with 15 years of relevant experience, a PhD and the ability to pass six interviews and do 100 hours of world-class unpaid work for the company.
How could they possibly be having trouble with their security systems?
they don't have the funds for IT just 1 shared tea (Score:2)
they don't have the funds for IT just 1 shared team viewer login on an XP box.
Re: (Score:2)
Don't forget getting paid $13.49 an hour.
It's worse than you think (Score:5, Informative)
Re: (Score:2)
Which means that they’re rank amateurs. Oh noes, Iran temporarily disabled the water system of a small midwestern town. Let’s all surrender in the face of Iran’s overwhelming might. What a glorious victory over the imperialistic American pigdog, eh? Eyeroll. You don’t see the NSA messing with other countries cyb
Re: (Score:2)
You don’t see the NSA messing with other countries cybersystems
Of course you don't SEE them doing it, and that's partly because other countries aren't adequately equipped to detect and trace the intrusions. Mostly though it's because our bought-and-paid-for media go out of their way to amplify every claim of the US, valid or not, and ridicule and denigrate any claims, valid or not, of the designated enemy-of-the-day. For their purposes it just matters whether or not you KNOW that they're doing it, and they have gone to great lengths and expense over the past four dec
Re: (Score:2)
Damn, I thought this stuff was publicly owned. I was doing some quick research and came across this article: https://www.mcgrawcenter.org/s... [mcgrawcenter.org]
Yeah profits should not be the goal here.
Re: (Score:2)
In our area, Snohomish County, WA, customers can choose to buy power from Puget Sound Energy, a for-profit corporation, or the Snohomish Public Utility District. You can see the difference in maintenance just driving around, SnoPUD is absolutely brutal in tree trimming while PSE's lines are full of trees, drooping towards the ground, with leaning poles. Since SnoPUD's power is cheaper and FAR more reliable PSE doesn't have many customers in our county, at one point they were going to go to court to try to
Re: (Score:2)
Sure you can, it just takes spending public money for the public good, which unfortunately seems to be anathema to many modern politicians. Reverse the stupid 'privatization' trend, hold private corporations to the same standards as public ones, enforce the damn laws the way they're supposed to, and many regions would no longer pull in the high profit levels corporate executives expect, providing the opportunity for them to be spun off to public entities. Snohomish County ended up owning a number of forme
That's not the EPA's concern. (Score:1, Interesting)
The EPA, and the federal government generally, needs to stay in their lane and leave what is not explicitly granted as federal powers to the states. Am I concerned that there may be some security issues with internet connected water supply control systems? Sure, I guess so. Do I believe the federal government should be getting involved in securing these systems? No. Water supplies are a local issue.
If the federal government wants to issue some guidance on how to secure water supplies then I guess that
Re: (Score:2)
>> Water supplies are a local issue.
And you know this how? Where I live (Texas) there are state-owned corporations that own both the water itself and the treatment plants for vast drainage basins and reservoirs that serve many cities. The Lower Colorado River Authority is one example, and the corporate boards are chosen as part of the state political patronage system. They don't answer to anyone local.
>> federal government for getting their nose in the business of local farmers
Local farmers don'
Re: (Score:3)
The problem is that these federal suggestions slowly evolve into requirements.
That's true. But states do the same thing. And states (mine in particular) aren't smart enough to keep other parties, some with questionable motives, out of things like the water business.
I have a use permit and have been pumping my own water for decades. But about once every ten years, the state makes a run at requiring all individual water users to be collected under some sort of "water associations". That's step one. Step two is everyone gets a meter, even on their own wells. Step three is: Once water u
No, the dog has my tongue (Score:5, Interesting)
What's much worse was when they started putting their systems on the Internet (even unintentionally, because cellular modems come with an IP address!). After such a change, it's best to have all the standard protections Slashdotters harp about, but that's an order of magnitude more of complexity--sometimes a big ask for the decent, but non-technical, blue collar folks who have been running such systems just fine for decades.
And to address a side topic mentioned above, I don't see open source making headway because it suffers from the same problem as the computer industry: Since hardware (unnecessarily?) changes all the time (chips, PCs, etc.), there's not going to be a finished, never-changing platform, which means development is always going to be in flux. Who's going to do that, for free, forever? There are already plenty of abandoned open source projects.
Re: (Score:2)
The hardware upgrades are something I didn't think about and an excellent point.
Re: (Score:2)
Re: (Score:2)
Internet and critical infrastructure (Score:2)
Re: (Score:1)
Re: (Score:2)
That's just it by connecting remotely, less staff is need. Saving money for management salaries.