The tool is a voluntary approach for implementing cybersecurity controls for water systems, many of which serve relatively small communities. There is some help available, including the American Water Works Association's " Cybersecurity Guidance and Tool," which aligns with the NIST Cybersecurity Framework and America's Water Infrastructure Act of 2018. They're asking for help from the federal government in four areas: training and education specific to the water sector technical assistance, assessments, and tools cybersecurity threat information and federal loans and grants. Many of them are under-funded and under-resourced to handle cybersecurity threats, in particular from advanced attackers who have deep pockets and a wealth of knowledge to exploit internet-connected OT control systems. Respondents, meanwhile, want help from the federal government. Of those that have identified all IT and OT assets, 75% have implemented cybersecurity programs at varying stages of maturity.Ĥ5% of systems allocate less than 1% of budget to OT cybersecurity 1.7% allocate more than 10% of budget to cybersecurity.ģ8% of systems allocate less than 1% of budget to OT cybersecurity 4.1% allocate more than 10% of budget to cybersecurity. Only 38% of water utilities have inventoried IT-networked assets another 22% are working to do so.ģ1% have inventoried all OT-networked assets another 23% are working to do so. Almost 600 water treatment facility employees took part, and some of the numbers are not pretty: Government decision-makers are going to get more fuel for their fire in the wake of the results this week of a survey conducted by the Water Information Sharing and Analysis Center (WaterISAC). leadership and lawmakers, more so than have the endless stream of personal information and payment card data thefts. Hacks that threaten public safety, however, seem to have awoken U.S. Information sharing has become a pat answer in the aftermath of a breach, yet it can work in a controlled environment, even among competitors (see the numerous industry ISACs supporting such activity). Had details about the Bay Area attack been disclosed in a timely manner one month before Oldsmar, that incident may have been prevented-and almost certainly there have been other breaches, as of yet unreported, that may be linked to this same attack vector. Once on the network, the attacker was able to delete applications used to treat public drinking water, NBC News said. The intruders gained access via a former employee's TeamViewer credentials that had not been terminated. Knowing, for example, that attackers were using stolen TeamViewer credentials to remotely access HMIs and change chemical levels in drinking water would hopefully nudge others in the sector to lock down credentials, implement two-factor authentication, and be more forceful about the need for overall risk and governance assessments.Ĭompounding the urgency of this narrative around mandatory reporting is the story that broke last week from NBC News that a Bay Area water treatment facility was breached by remote attackers. There is tremendous value in these details for peers across industries. This is going to be an important case study as conversations ramp up on Capitol Hill about mandating breach disclosure for critical infrastructure sectors in the United States. His message to the public was equal parts informative and reassuring, stating that certain redundancies and safeguards innate to water treatment facilities would have prevented tainted water from reaching residential or commercial customers. Pinellas County Sheriff Bob Gualtieri, flanked by plant management, commanded a press conference disclosing the attack days after the incident and was lauded for telling the public not only that their drinking water was safe, but for being forthright about critical details on how intruders got in to the plant network. One subtlety consistently overlooked about the Oldsmar water treatment facility breach in February was the willingness of law enforcement and plant officials to share details about the attack vector used to gain access to the network, as well as the potential consequences to public safety had controls not been in place to mitigate the attacker's actions.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |