Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security United States

EPA Says It Will Step Up Enforcement To Address 'Critical' Vulnerabilities Within Water Sector (therecord.media) 64

The U.S. Environmental Protection Agency on Monday urged water utilities to take action to improve their digital defenses, following a spate of recent cyberattacks. From a report: The agency's "enforcement alert" said that recent inspections of water systems found that more than 70 percent fail to meet basic cybersecurity standards, including some with "critical" vulnerabilities, such as relying on default passwords that haven't been updated and single logins that "can easily be compromised." The notice comes after a Russian hacktivist group claimed credit for digital assaults on water sites in Texas and Indiana. Late last year, Iran-linked Cyber Av3ngers group took responsibility for striking a water authority in Pennsylvania.
This discussion has been archived. No new comments can be posted.

EPA Says It Will Step Up Enforcement To Address 'Critical' Vulnerabilities Within Water Sector

Comments Filter:
  • Comment removed based on user account deletion
    • I assume the issue here is not some master program but dozens if not hundreds of various automation components from different manufacturers, all with their own firmware and code that the water service integrates together to control all their pumps and machines and around here we know industrial controls often are outdated, often not patched and never really intended to be put on the internet in any form but it happens anyway.

      While that's a good goal to have all that stuff open source it's an uphill battle.

      • Re:Open source (Score:4, Interesting)

        by Train0987 ( 1059246 ) on Tuesday May 21, 2024 @10:26AM (#64487849)

        It's all very basic and common SCADA stuff and that's the danger. Protocols designed in the 1970's didn't have any security whatsoever. All plain-text with little to no encryption anywhere. Then you'll see the primary SCADA controller at a remote site connected to the clear web for remote access. Putting trained humans at every pump station, etc, 24/7 instead of one at a central location would be astronomical costs for small municipalities.

        I've seen many, many SCADA controllers just plugged directly into a cable modem without even a router between them much less a firewall. I'm talking cable modem to WinXP box. Within the last year! Just installing routers that can IPSEC tunnel between them would break budgets everywhere.

        • Thank you, I knew there was a term for all this stuff, I just did not remember SCADA but you hit it on the head, some of this stuff is just plain ancient and combined with pretty lax practices, a lot of "ain't broke don't fix it".

          Just installing routers that can IPSEC tunnel between them would break budgets everywhere.

          Yeah I imagine this is the real issue and most of these places probably don't have a dedicated IT staff to make sure this all would actually operate.

        • Comment removed based on user account deletion
          • by _merlin ( 160982 )

            They aren't being downvoted for these comments. They just have abysmal karma from numerous obnoxious comments over the years and hence start at -1 score.

        • by HiThere ( 15173 )

          So why is that stuff on a publicly accessible network?

          • by PPH ( 736903 )

            So why is that stuff on a publicly accessible network?

            Because that's about all that is left. Paging networks are going the way of the dodo. Dedicated leased lines are expensive (and still require specialized IT/comms expertise). RF links even more so. Plus the telecoms are doing everything in their power to kick everyone off dedicated public service bandwidth and bring them into the dark side of 5G IoT.

            You want your maintenance plumber to get a call in the middle of the night when a pump failed and water pressure is heading towards zero. How else are you goin

            • by HiThere ( 15173 )

              It's very different sending a message to a plumber, and having control of the system be on the net. Only one is a reasonable use of the public network.

              • by PPH ( 736903 )

                But the packaged water treatment automation systems come with all of these capabilities. Sure, you could hire an experienced IT person to set up users, roles, permissions. But these people cost money. Particularly if its a specialized application without a broad market. It becomes like all the NT systems that many companies buy. "The hell with it. Just make everyone an admin."

                Sure, you could market a system with "read-only" functions. But that would be even more of a niche product.

        • It wouldnâ(TM)t break a budget since you can do it for less than $200 with common hardware and Linux. The problem is people are lazy, government is wasteful and that makes things much more expensive than they need to be. Give them a fixed budget and make them compete while putting out liabilities like they do in commerce and things would get fixed really fast.

          • How is the municipal water supply supposed to compete? This is not Federal but a bunch of local towns and cities, there's a herding cats aspect.

    • Re: (Score:1, Interesting)

      by Train0987 ( 1059246 )

      It's all SCADA nothing is really closed-source. The controller systems aren't really the problem, it's the connections between sites that are wide open with no security. It's mainly network-level security and the lack of budget and staff that's the problem. Many local gov'ts I'm familiar with would need more network engineers to secure and maintain it than the entire staff of the water/sewer depts. The physical environments this eqpt operates in is challenging too (to put it mildly). Spend 30 minutes a

    • The source isn't the problem. The problem is having this stuff connected to the internet and poor passwords.

      • Re:Open source (Score:4, Interesting)

        by cusco ( 717999 ) <brian@bixby.gmail@com> on Tuesday May 21, 2024 @12:42PM (#64488239)

        Passwords are a real issue, and there's no cause for it other than technological ignorance on the part of older staff and laziness among the younger. While I worked in the field doing physical security (key cards, cameras, alarms, that stuff) I introduced literally dozens of our customers to Keepass for password management, and many of them standardized on it once they discovered how easily I could access their equipment as they had configured it. For many it was the first and only piece of freeware that their IT department allowed. Installed on a secure network share and regularly backed up it provided an easy and secure method for maintaining complex passwords and non-standard usernames, and for working at remote sites it could be copied onto a USB stick.

        This habit also turned out to be a selling point for our services as compared to our competitors. For example I could access the admin-level account of any Niscaya (a large international security installer) or Securitas installation in the country, having found and recorded their standard password. We on the other hand created user accounts and custom passwords for every customer, and saved them in Keepass for use by our staff. Our customers' IT staff were often appalled by what we were showing them, that their security system was their largest security hole. Unfortunately Aronson Security has been bought out by ADT and their staff now has to work with the same shitty standards as the rest of that really shitty company.

    • by _merlin ( 160982 )

      open sourcing this stuff to verified U.S. citizens that pass security checks

      If you're restricting it to people with security clearances, that isn't open source by any definition. That's just increasing the number of people under NDA. You aren't going to get contributions from the "open source community" if the prospective contributors don't stand to benefit from contributing.

  • by schwit1 ( 797399 ) on Tuesday May 21, 2024 @09:57AM (#64487735)

    The federal government needs to be on top of this, but the EPA? Critical infrastructure security should be in CISA's wheelhouse.

    And the NSA should be doing critical infrastructure testing 24/7.

  • by JBMcB ( 73720 )

    Who the hell is putting SCADA on the internet? They need to be fired.

    • Boss: Hey I'm tired of coming into the office just give me remote access and don't set any complicated passwords

      • by cusco ( 717999 )

        Bingo. When I was doing physical security (key cards, cameras, alarms, etc.) in the field my biggest headache was always the boss who wanted stuff installed outside the corporate firewall so that he could access it without having to remember how to use the VPN. Fortunately my bosses always backed me up when I refused.

      • Automotive (Score:4, Interesting)

        by JBMcB ( 73720 ) on Tuesday May 21, 2024 @01:06PM (#64488307)

        There was a push for this in the automotive sector a couple of decades ago, so they made their own internet.

        https://en.wikipedia.org/wiki/... [wikipedia.org]

        It's secured with static certificates and end-to-end encryption over private leased lines. It's slow as dirt, but only carries small files, like shipping orders, production information and serial number rosters.

        If you *have* to do it, that's how you do it.

  • If a water company hires an IT employee, they only take people with 15 years of relevant experience, a PhD and the ability to pass six interviews and do 100 hours of world-class unpaid work for the company.

    How could they possibly be having trouble with their security systems?

  • by Beerismydad ( 1677434 ) on Tuesday May 21, 2024 @10:35AM (#64487873)
    I used to perform cyber and physical security assessments on utility companies in the U.S. and Canada, and was always maddened by the profit/cost-driven decisions to link IT and OT systems. The reasons for those decisions can be defensible if implemented correctly and monitored, but... anyway. As poor as the cyber hygiene was in some facilities, it was nothing like what I saw when I took a tour of my local community's water treatment facility. Unlocked systems in the control room running ancient versions of Windows, shared accounts and passwords, open connection to the internet, no log files retained (when I asked the engineer about that he looked confused and didn't answer). It was so, so bad...
    • Those hackers in Iran are doing us a favor. They’re basically acting like a vaccine, forcing our ecosystem to harden up without really causing all that much damage.

      Which means that they’re rank amateurs. Oh noes, Iran temporarily disabled the water system of a small midwestern town. Let’s all surrender in the face of Iran’s overwhelming might. What a glorious victory over the imperialistic American pigdog, eh? Eyeroll. You don’t see the NSA messing with other countries cyb
      • by cusco ( 717999 )

        You don’t see the NSA messing with other countries cybersystems

        Of course you don't SEE them doing it, and that's partly because other countries aren't adequately equipped to detect and trace the intrusions. Mostly though it's because our bought-and-paid-for media go out of their way to amplify every claim of the US, valid or not, and ridicule and denigrate any claims, valid or not, of the designated enemy-of-the-day. For their purposes it just matters whether or not you KNOW that they're doing it, and they have gone to great lengths and expense over the past four dec

    • Comment removed based on user account deletion
      • by cusco ( 717999 )

        In our area, Snohomish County, WA, customers can choose to buy power from Puget Sound Energy, a for-profit corporation, or the Snohomish Public Utility District. You can see the difference in maintenance just driving around, SnoPUD is absolutely brutal in tree trimming while PSE's lines are full of trees, drooping towards the ground, with leaning poles. Since SnoPUD's power is cheaper and FAR more reliable PSE doesn't have many customers in our county, at one point they were going to go to court to try to

  • The EPA, and the federal government generally, needs to stay in their lane and leave what is not explicitly granted as federal powers to the states. Am I concerned that there may be some security issues with internet connected water supply control systems? Sure, I guess so. Do I believe the federal government should be getting involved in securing these systems? No. Water supplies are a local issue.

    If the federal government wants to issue some guidance on how to secure water supplies then I guess that

    • >> Water supplies are a local issue.
      And you know this how? Where I live (Texas) there are state-owned corporations that own both the water itself and the treatment plants for vast drainage basins and reservoirs that serve many cities. The Lower Colorado River Authority is one example, and the corporate boards are chosen as part of the state political patronage system. They don't answer to anyone local.

      >> federal government for getting their nose in the business of local farmers
      Local farmers don'

    • by PPH ( 736903 )

      The problem is that these federal suggestions slowly evolve into requirements.

      That's true. But states do the same thing. And states (mine in particular) aren't smart enough to keep other parties, some with questionable motives, out of things like the water business.

      I have a use permit and have been pumping my own water for decades. But about once every ten years, the state makes a run at requiring all individual water users to be collected under some sort of "water associations". That's step one. Step two is everyone gets a meter, even on their own wells. Step three is: Once water u

  • by kackle ( 910159 ) on Tuesday May 21, 2024 @12:33PM (#64488207)
    I used to teach a SCADA class and am still in the water industry, 20+ years. I don't see "old" equipment and unencrypted local communications (phone, radio, cabling, etc.) as being a much of a risk because it would require someone to be nearby to monitor/affect whatever system, making them quite vulnerable to capture. If I were king, that's how the systems would all be, convenience be damned.

    What's much worse was when they started putting their systems on the Internet (even unintentionally, because cellular modems come with an IP address!). After such a change, it's best to have all the standard protections Slashdotters harp about, but that's an order of magnitude more of complexity--sometimes a big ask for the decent, but non-technical, blue collar folks who have been running such systems just fine for decades.

    And to address a side topic mentioned above, I don't see open source making headway because it suffers from the same problem as the computer industry: Since hardware (unnecessarily?) changes all the time (chips, PCs, etc.), there's not going to be a finished, never-changing platform, which means development is always going to be in flux. Who's going to do that, for free, forever? There are already plenty of abandoned open source projects.
    • Comment removed based on user account deletion
      • by kackle ( 910159 )
        Ideally, I thought about designs for hardware components that are simply made forever (think of Z80 or 8051 CPUs' longevity). Then, PLCs could be made with those, where everything stays the same, even the RTOS; they could be replaced with identical equipment upon failure, going forward. The SCADA PCs they use though would continue to have the same problems since there's a permanent (marketing?) push to update the hardware, OS and web browser with its JavaScrip-framework-du-jour, etc. New bugs, new quirks
  • Have the EPA ever given consideration to not connecting their critical infrastructure directly to the Internet. Use a private VPN running on embedded hardware, With end-to-end encryption, full authentication and irrevocable audit trail.
    • What troubles me is why any critical stuff needs to be connected. Pre-'net, actual persons went to the sites, performed what they needed to do, and as necessary to coordinate, harmonize, match frequencies, or just nod, smile, and listen to the boss, in person, fax, or by POTS-line voice phones. Things got done, by actual people that earned a paycheck and cared enough to get it right. So, sure, the internet made some stuff easier, arguably ~better, but what's the price of your soul? Or your job? Or your
      • > What troubles me is why any critical stuff needs to be connected. Pre-'net .. Things got done, by actual people that earned a paycheck and cared enough to get it right.

        That's just it by connecting remotely, less staff is need. Saving money for management salaries.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...