Experts Testify on Cyberthreats to Water Treatment PlantsSenate Panel Hears Testimony About Vulnerabilities at Facilities
U.S. water treatment facilities are increasingly vulnerable to cyberthreats to their IT networks as well as their OT systems, according to experts who testified at a Senate committee hearing this week.
The Senate Environment and Public Works Committee held the hearing Wednesday to address concerns raised by a series of cyber incidents at water treatment facilities over the last few months, including a February incident in Florida, when an intruder gained remote access to the network of the water treatment facility for the city of Oldsmar and attempted to increase the amount of lye in the water system. That attack was thwarted.
In April, the FBI charged a Kansas man with accessing the network of a local water treatment facility and tampering with the systems that control the cleaning and disinfecting procedures for local water sources (see: Kansas Man Faces Federal Charges Over Water Treatment Hack).
In recent weeks, the Department of Homeland Security and its Cybersecurity and Infrastructure Security Agency have urged companies that have oversight over the nation's critical infrastructure to step up their cybersecurity defenses.
Growing Security Concerns
In his opening remarks at the hearing, Tom Carper, D-Del., committee chairman, noted that water treatment facilities are increasingly susceptible to intrusion from cybercriminals as well as nation-state groups.
"We face threats from unscrupulous individuals - from criminal enterprises and antagonistic state actors - 24 hours a day, seven days a week. It's clear that many of our nation's vital transportation and water systems face especially serious challenges in dealing with cybersecurity vulnerabilities," Carper said. He noted that the FBI and DHS have recently warned that groups associated with the Russian government have tried to target water facilities.
Sen. Shelley Capito, R-W.Va., the ranking member, noted that recent security incidents can "leave us questioning the safety of our water systems."
IT and OT Vulnerabilities
The committee heard testimony from John Sullivan, the chief engineer of the Boston Water and Sewer Commission, who also works with the Association of Metropolitan Water Agencies, which represents the largest publicly owned drinking water systems in the U.S.
Sullivan noted that water treatment plants face threats to IT networks and infrastructure, which support front-end operations, as well as OT systems that support SCADA - supervisory control and data acquisition - systems and industrial controls that help control and secure treatment processes, sensors, valves, pumps and other utility infrastructure.
In the last year, a Boston Water and Sewer Commission facility sustained a ransomware attack, most likely involving strain called Egregor, which hampered operations for a time, but the incident did not directly affect the overall safety of the city's drinking water, Sullivan testified.
"While it complicated day-to-day business for many weeks and was costly to recover from, there was never any threat to public or environmental health, due to our business network being segregated from our control system, among other precautions," Sullivan testified. "This saved the utility from suffering much greater impacts and is a best practice in any sector that uses industrial control systems, but this approach is not consistent across the sector."
The greater concern, Sullivan said, is the threat of an attack affecting an OT system, like what apparently happened at the Oldsmar, Florida, facility. In that incident, the intruder first took advantage of an unsecured instance of TeamViewer to gain remote access to the water treatment facility's network. It's not clear whether the water treatment facility's senior managers authorized the use of TeamViewer for remote access by staff (see: 5 Critical Questions Raised by Water Treatment Facility Hack).
"This incident is emblematic of how bad actors can take advantage of cyber vulnerabilities that may be present in many of the nation’s roughly 50,000 drinking water systems and 16,000 wastewater systems, and it is easy to imagine how the outcome might have been far worse," Sullivan testified.
The committee also heard testimony from Sen. Angus King, I-Maine, who served as co-chair of the Cyberspace Solarium Commission, which addressed cybersecurity issues within water treatment facilities and other critical infrastructure as part of the report it published in 2020.
The commission recommended that the Department of Homeland Security work closely with the operators of these facilities and help identify vulnerabilities in both IT and OT systems as well as share more threat intelligence.
"We must do more to ensure that mature companies are able to share with and receive information from the federal government in real time," King testified. "The creation of a cloud-based Joint Collaborative Environment would supply the federal government and critical infrastructure owners and operators with a common, interoperable virtual environment to share and fuse threat information, insight and other relevant data, allowing the federal government to give real-time warning of incoming threats."
Sullivan said Congress also should consider providing additional funding to the Environmental Protection Agency, which has oversight over the nation's water treatment facilities, to address cybersecurity issues.
Critical Infrastructure Security
The Senate committee also heard from Rep. Mike Gallagher, R-Wis., the other co-chair of the Solarium Commission, who noted that the group determined that water treatment facilities lagged behind other sectors in cybersecurity readiness since they rely on older technologies, lack security expertise and have budget challenges.
"The commission concluded that 'water utilities remain largely ill-prepared to defend their networks from cyber-enabled disruption.' As we've continued our work on improving the nation's cybersecurity, bolstering the ability of the water sector to detect, prevent and withstand cyberattacks has emerged as a crucial priority," Gallagher testified.
To emphasize the issues that smaller, rural water facilities face, the committee heard from Sophia Oberton, the special projects coordinator for the small city of Delmar, which falls in both Maryland and Delaware.
Oberton testified that her area's drinking water facility uses a rudimentary SCADA system not connected to the internet. Oberton pointed out that she and her team mainly focus on physical security. And she told the committee that government-mandated cybersecurity measures would be nearly impossible to implement unless the facility received additional funding.
"The reality is that small towns have limited financial resources, which must be targeted to meet our greatest needs," Oberton testified. "We would not want to see any new federal cybersecurity initiative or regulation result in the reprioritization of these limited resources to compliance with a new federal cyber program. And we simply can't just increase water rates to cover the cost of new federal requirements."