back to article America's drinking water systems have a hard-to-swallow cybersecurity problem

Nearly a third of US residents are served by drinking water systems with cybersecurity shortcomings, the Environmental Protection Agency's Office of Inspector General found in a recent study – and the agency lacks its own system to track potential attacks.  The EPA OIG released a report last week that found 308 of the 1,062 …

  1. martinusher Silver badge

    I didn't know water was intelligent

    Obviously I'm being a bit supercillious here, we all know that what the article means is that SCADA systems that are used in water supply aren't hardened against various forms of cyber attack. Its just that there's this assumption that a) everything's got to be controlled by a PC type SCADA system b) this system has to be connected (directly) to the public internet and c) we're only going to be safe if everyone gets on the security/update treadmill and keeps paying for endless updates.

    Many of us will have noticed one of the oldest marketing tricks in the computer book -- "FUD". "Hundreds of millions of people are at risk / Act Now or it will be too late or We Will All Be Doomed" and so on. Ignore the fact that the worst recent water supply problem, the one in Flint, was caused by politicians forcing a municipal water system to switch water sources to save a bit of money.

    1. Paul Crawford Silver badge
      Facepalm

      Re: I didn't know water was intelligent

      b) this system has to be connected (directly) to the public internet

      I think this is the critical aspect, just WTF are companies doing making any hardware visible on the Internet, or indeed on an Intranet that is shared by Windows PCs used for web/email.

      While folks might point to Stuxnet, the reality is compromising a non-connected system is many order of magnitude harder than one made accessible by some Muppet.

    2. diodesign (Written by Reg staff) Silver badge

      Yeah, it's computer security

      And I get the need to be allergic to vendor-based FUD ('OMG we're doomed... unless you buy our product') but bear in mind this is the EPA Assistant Inspector General telling us this. They're not selling anything, though do hope someone takes notice.

      C.

      1. jake Silver badge

        Re: Yeah, it's computer security

        Those of us involved in security (real security, not Board Level Security) have been telling corporations/government/schools not to hook SCADA into ANY publicly available network since before the move from NCP to TCP/IP, back on January 1st 1983.

        Have they ever listened? Have they fuck ... all they see is "free long-distance comms? I'm 'avin' some of THAT!!!" and promptly hook the security for everything up to a network that anybody can access, at any time, for any purpose, world-wide.

        On the bright side, I'm making a pretty penny in my retirement, cleaning up the resulting mess.

        The icing on the cake is occasionally being able to stand up in front of the Board and telling them "I TOLD you so, you fucking idiots!" ...

  2. DS999 Silver badge

    Why don't we just ban them from connecting to anything touching the internet?

    Can't hack into it if it is on an isolated air gapped network.

    1. usbac

      Re: Why don't we just ban them from connecting to anything touching the internet?

      It's more difficult to hack into, not impossible.

      1. jake Silver badge

        Re: Why don't we just ban them from connecting to anything touching the internet?

        Unlikely to be hacked into, with the chances closer to 0% than the near 100% that is happening today.

        And it only costs NOT hooking up a wire (or NOT turning on the wireless ...),

        Yes. folks, you have to go out of your way, and sometimes WAY out of your way, to enable this form of nefariousness in the first place. It costs real money to make yourself vulnerable.

        Have fun!

      2. DS999 Silver badge

        Re: Why don't we just ban them from connecting to anything touching the internet?

        OK sure someone could break into the facility, but since it is likely almost all overseas hackers that's unlikely to be a big issue. Besides once they're inside they can directly mess with the equipment, controlling the computer systems is an unnecessary step.

        1. collinsl Silver badge

          Re: Why don't we just ban them from connecting to anything touching the internet?

          You have to have an agent on the ground for that though. Hacking can be done from the "comfort" of your desk chair in North Korea.

          Paying a local criminal to rough someone up or even assassinate them via other criminal networks can work (as demonstrated with the assassinated defected Russian pilot in Spain recently) but I don't think a criminal enterprise would be happy to poison their own or someone else's water source, that's going a bit too far, or even breaking everything in sight so the supply is interrupted, so you'll need your own agent to do the work (armed with sufficient bottled water to avoid drinking any themselves or to get them through any resulting supply issues).

  3. Ribfeast

    I used to work for a water utility in Australia, and the SCADA network was totally isolated from the internet and any other network, essentially air gapped. Surprised this isn't standard practice.

    1. Martin-73 Silver badge

      I on the other hand am not, people will be people, aka stupid. This makes it easier, why have 2 PCs when i can have one, mentality

    2. DS999 Silver badge

      It should be, but somewhere there's a requirement to get statistics out and the easiest way to do that is to hook things up to the internet. A water utility isn't likely to have a proper sysadmin, let alone a proper security administrator - that stuff is probably set up by whichever guy (probably with a chemistry degree) is the most computer literate. Or worse, the new guy gets stuck with it if no one is really excited about doing that stuff.

      Once they have it hooked up to get statistics out even if they managed to do that without opening up a hole then the senior guy wants to work from home a couple days a week and since he's the most experienced and the management wants to keep him they set it up so he's got remote access to login.

  4. IGotOut Silver badge

    Easy Fix Incoming

    Disband the EPA.

    No more reports about poor security.

    Profits up.

    Job Done.

    Late stage capitalism for the win.

    1. Martin-73 Silver badge

      Re: Easy Fix Incoming

      probably should've done the troll face or coat icon, but upvote to cancel the downvote

      1. IGotOut Silver badge

        Re: Easy Fix Incoming

        Nah. I always get 1 downvote. I have to check the post hasn't been removed if it's not there.

        I think Musk or one of his ilk sits there giggling down voting everyone while whacking one off.

    2. Wang Cores

      Re: Easy Fix Incoming

      Homer Simpson voice: "So what if the water burns when you drink it, we can just set it on fire to burn off the oil!"

    3. Yet Another Anonymous coward Silver badge

      Re: Easy Fix Incoming

      >Disband the EPA.

      That seems rather drastic

      The clearly thought out, well.researched, political solution is to fire 75% of the staff based on their SSN, cut the budget by 75% and have a law saying that companies can ignore any of their rules unless they win in court.

      And then appoint a leader who believes we need to ban DiHydrogen Monoxide

  5. Anonymous Coward
    Anonymous Coward

    A little bit of FUD and no cheese

    Sounds like a Bitsight report. I don't like getting those either.

  6. Slow Joe Crow

    SCADA systems are known to be vulnerable, partly due to lazy configuration, and partly due to insecure design. I guess the only comfort is that my water company is very small and supplies untreated well water so hacking the treatment plant is a non-starter

  7. Softsuits

    Several State sues to stop the Federal Goverment from doing an Assesment

    Shouldn't be an issue with Homeland Security on the Job. I'm sure they are doing accreditations and ensuring they remain up to date. Bottle water manufactures are probably not complaining about cyber issues; it's a definte gowth industry. Using public networks and protocols for distributed systems; what could possibly go wrong?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like