720-891-1663
Return to list of client alerts
Industrial controls governing water-related U.S. critical infrastructure are woefully underestimated as cyber targets and woefully under protected.
We saw last year, multiple water treatment plant attacks that succeeded to differing degrees. Even down to a small dam in suburban New York City.
Water may be the greatest vulnerability in our national infrastructure, said Samantha Ravich, chair of CCTI. Much of the problem lies in just how decentralized water systems are, she explained.
https://threatpost.com/water-cyberattack-target/179935/
Each system has its own, unique design. Add to that, limited budgets. Top it off with almost to no cybersecurity expertise and you wind up with a mess.
The U.S. has over 50,000 drinking water systems and another 15,000 wastewater systems.
The majority of these serve small communities. That means that they don’t have big budgets and big teams.
In the Oldsmar, Florida attack last year, the only reason that the water supply was not poisoned was that an operator happened to be looking at the screen at the moment the hacker changed the level of sodium hydroxide in the supply from 100 parts per million to 11,100 PPM. What if he did that at 11 PM instead of 11 AM, when there was no one in the control room?
Not only are the water utilities under staffed, but the EPA has its own set of problems.
While most of you reading this don’t run a water treatment plant, most of you do drink water.
And while this particular warning is directed at drinking- and waste- water, there are millions of other targets out there – ones that are under-protected, under-funded and under-staffed.
We see this every week with attacks on the healthcare sector. Those systems are under-protected, under-funded and under-staffed. The evidence is that those attacks are working. For the most part, we have not been able to DIRECTLY tie patients losing their lives to the attacks, but you could make a case for indirect effect. There are lots of areas of critical infrastructure that could be targeted. Even if the attack is mostly symbolic. Credit: Threatpost