Hackers have recently tampered with critical infrastructure entities in the United States. This includes the Colonial Pipeline incident that affected the supply of gas and the JBS Foods hack that affected operations of the meat-packing giant.
However, neither of these ransomware attacks had any severe, real-world consequences. Sure, some people couldn't put gas in their cars for a couple days, or the price of meat might have gone up in some areas, but no lives were immediately threatened.
But what if the hackers decided to attack something a little more important? Say, the drinking water systems that we quite literally might not be able to live without for more than a week?
According to a report by the Water Sector Coordinating Council (WSCC), the majority of the 52,000 drinking water systems in the U.S. have not inventoried some or any of their IT systems.
The WSCC surveyed 606 employees of water treatment facilities and found that only 37.9% had identified all IT networked assets, with 21.7% currently working to that goal.
As for operational technology (OT), just 30.5% had identified all OT-networked assets, with an additional 22.5% working to do so.
The report concludes with this:
"Identifying IT and OT assets is a critical first step in improving cybersecurity. An organization cannot protect what it cannot see."
Krebs also mentions that it is challenging to identify threats you are not looking for, as 67.9% of water systems reported no security incidents in the last month, which is a fairly unlikely scenario.
There have been a few recent attacks on treatment facilities, and those have mostly been caused by a failure to properly secure employee accounts that can be used for remote access.
Here are some examples from earlier this year, according to reporting by Brian Krebs:
"In April, federal prosecutors unsealed an indictment against a 22-year-old from Kansas who's accused of hacking into a public water system in 2019. The defendant in that case is a former employee of the water district he allegedly hacked.
In February, we learned that someone hacked into the water treatment plan in Oldsmar, Fla. and briefly increased the amount of sodium hydroxide (a.k.a. lye used to control acidity in the water) to 100 times the normal level. That incident stemmed from stolen or leaked employee credentials for TeamViewer, a popular program that lets users remotely control their computers.
In January, a hacker tried to poison a water treatment plant that served parts of the San Francisco Bay Area, reports Kevin Collier for NBCNews. The hacker in that case also had the username and password for a former employee's TeamViewer account."
[RELATED: Timeline: How a Hacker Tried to Poison a City]
The Water Infrastructure Act of 2018 requires utilities serving between 3,300 and 50,000 residents to complete a cybersecurity risk and resiliency assessment by the end of this month.
Andrew Hildick-Smith, a former manager of remote access systems for the Massachusetts Water Resources Authority, says the number of larger facilities compliant with the Act is roughly equal to the number of companies that have inventoried all of its IT—so about 37%.
What is concerning to Hildick-Smith is that a large portion of the facilities in the U.S. serve less than 3,300 residents, meaning they do not have to report their cybersecurity practices to the Environmental Protection Agency.
"A large number of utilities—probably close to 40,000 of them—are small enough that they haven't been asked to do anything. But some of those utilities are kind of doing cybersecurity based on self motivation rather than any requirement.
Others do not have access to a cybersecurity workforce. Operating in the background is that these utilities are struggling to maintain and replace infrastructure, maintain revenues while addressing issues of affordability, and comply with safe and clean water regulations."
The report argues that these water treatment facilities need more funding at the federal and state level. Thirty-eight percent of the facilities allocate less than 1% of their annual budget to cybersecurity.
Regardless, employees need to also be trained on the best cybersecurity practices so that credentials cannot be so easily stolen.