US Says Russia Exploiting Weak Security at Water, Wastewater Plants
Shoddy security practices. Short of cash. Lack of personnel to deal with threats. Outdated equipment connected to the Internet. Weak passwords.
CISA and the FBI say these are just some of the issues that critical infrastructure operators are facing.
Anti U.S. (pro-Russian) hackers are intensifying attacks on critical infrastructure such as water, wastewater, dams, energy and agriculture. according to both U.S. and allied security authorities.
CISA, the FBI, several U.S. agencies, the Canadian Center for Cyber Security and the U.K. National Cyber Security Center put out an alert yesterday about these problems.
The systems being attacked are O.T. systems, not I.T. systems. O.T. or operational technology, are those systems that control water treatment, dam water release, wastewater purification, refinery operations and many more functions. O.T. systems do not need users sitting in front of a keyboard or screen to operate.
There are a lot of problems.
Many of these O.T. systems are decades old, long before anyone was worried about security.
In many cases, operators removed people from the plants to save money. That means that the plants are operated and/or monitored remotely. Because the people doing this were plant operations people they did not understand security and did not implement it.
When these people were told to fix things, they complained that the fixes were hard. Or expensive, Or they affected operations.
When Colonial Pipeline shut down in 2022, no one really cared about hard or expensive. Priorities change. Think about Bhopal. When people started dropping dead, the authorities changed their tunes. Estimates are that 15,000 to 20,000 people died as a result of that incident. An entire industry changed pretty much overnight. Sadly, that is probably what it will take here.
Global cyber authorities have observed pro-Russian hackers gaining remote access through a combination of publicly exposed internet-facing connections and unpatched software, the report says. Hackers also exploit default and weak passwords for accounts not protected by multifactor authentication.
Google-owned threat intelligence firm Mandiant published a report in April that links attacks on Polish and U.S. water utilities and a French hydroelectric facility with a self-proclaimed Russian hacktivist group that has ties to Sandworm, Russia’s preeminent cyber sabotage unit. Officials at a Texas water facility in February acknowledged a “system malfunction.” A city manager of Muleshoe, Texas, said officials discovered the hack after a citizen reported an overflowing water tank, reported the Plainview Herald (see: The Global Menace of the Russian Sandworm Hacking Team).
https://www.databreachtoday.com/us-allies-issue-cyber-alert-on-threats-to-ot-systems-a-24993
But the government moves slowly. Given that Congress is run by people who were born before there were any computers, never mind the Internet, they don’t understand the problem. But, just like with the border crisis, they will be quick to blame the people in charge whom they have not given the authority or budget to deal with the problem.
The EPA tried to mandate security inspections of water plants. The lawyers sued and said you can’t do that. The lawyers won. Did Congress give the EPA or someone else the authority to do that after the lawyers intervened? Nope!
So this is a crisis totally of our own making. The good news is that I run my own water and wastewater systems. I can make them much more secure than the City of Denver. Why? Because I control my budget and my rules. Too bad hundreds of millions of Americans do not have that ability.
But not to worry. As soon as Russian hackers kill a bunch of people, either here or abroad, legislators will spring into action and pass who knows what. They certainly don’t. But when it comes to bad press, they have to do something, whether that something has been thought through or not.
Credit Data Breach Today and CNN