Water utilities have installed computer-based remote controls “with little attention paid to security,” leaving valves, pumps and chemical mixers for water supplies vulnerable to cyber-attack, according to an Environmental Protection Agency report.
In a report Monday, the EPA’s inspector general cited costs, lack of ability to check employees’ backgrounds and poor communication between technical engineers and management for the shortcomings.
Benjamin Grumbles, EPA’s water chief, said Monday he agrees with the report’s assessment that there are “a broad range of challenges” facing water utilities, particularly with wireless communications systems, but that his office now has a plan for making improvements.
“We are actively working to provide additional tools to communities to enhance cyber security, providing funding for information that would be placed on a secure web site by the fall, to help utilities be more aware of potential threats to their computer systems,” Grumbles said.
His office also is getting help, he said, from the Homeland Security Department on ways of dealing with cyber threats and from an advisory council on how to help utilities measure their improvement.
The computer-based controls were “developed with little attention paid to security, making the security of these systems often weak,” the report says. As a result, many of the Supervisory Control and Data Acquisition networks used by water agencies to collect data from sensors and control equipment such as pumps and valves “may be susceptible to attacks and misuse.”
The danger is illustrated by an attack on an Australian waste management system in 2000, the report says. An engineer who had worked for the contractor that supplied the remote control equipment for the system used radio telemetry to gain unauthorized access and dump raw sewage into public waterways and the grounds of a hotel.
EPA Inspector General Nikki L. Tinsley urged EPA to find out what is keeping specific water utility operators from making the systems secure, and to develop federal security measures that could be used to correct the problems.
The review by Tinsley’s office was suspended after a meeting with Grumbles’ office, which agreed to incorporate her concerns into its work.
Tinsley notes that EPA spent $250,000 in 2002 to pay for research into how to improve security for computerized and automated systems and that Homeland Security began focusing on protections for the networks only last May.
In September, Grumbles told a House Energy subcommittee that the Bush administration had “worked diligently” to improve security of water facilities including 54,000 community drinking water systems and 16,000 public wastewater treatment plants.
The National Research Council, reviewing EPA’s plan for improving water system protection, also has cited a need for more attention to security in designing the networks, and for heading off potential internal threats such as actions by a disgruntled employee.
On the Net:
EPA Inspector General: https://www.epa.gov/oig