Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Water break.
In an Oct.11 announcement, the Environmental Protection Agency pulled back its March mandate that water-system audits must include a cybersecurity assessment. While the EPA withdrew the requirement, the agency emphasized the importance of protecting critical hydration stations:
“Cybersecurity attacks on water and wastewater systems occur frequently and are a significant threat to their operations. EPA encourages all states to voluntarily engage in reviewing public water system cybersecurity programs within the sanitary survey or an alternate process to ensure that deficiencies are corrected, and potential public health impacts are minimized,” the agency said.
How do you “review” your “public water system cybersecurity program,” exactly? An EPA checklist cites essential security practices for water-management systems—safeguards that are not so different from IT practices around the office, including multi-factor authentication for remote access to OT networks; a minimum length for passwords; elimination of public-internet connections; and an asset inventory.
What’s the holdup? On July 12, the US Court of Appeals for the 8th Circuit paused the memo’s enforcement, after it was sued by Missouri, Iowa, Arkansas, The American Water Works Association (AWWA), and the National Rural Water Association (NRWA).
“The rule would have required cybersecurity reviews by state regulatory agencies that lack expertise and resources for cybersecurity oversight,” AWWA and NRWA said in a press release issued after the EPA withdrawal.
The EPA will continue to explore opportunities to lower cybersecurity risk for public water systems, according to an email IT Brew received from communications liaison Robert Daguillard citing “cybersecurity risk assessments, expert consultations, and training.”
Can we start you off with something to hack? In January 2021, a hacker armed with a former employee’s username and password tried to “poison a water-treatment plant that served parts of the San Francisco Bay Area.” A cyberattack on a Florida-based water treatment plant (or cybermistake, depending on who you ask) increased lye levels in the water. A 2022 Senate Committee report warned of the risks of contamination and disruption to the 153,000 public drinking-water systems in the United States.
Concern for industrial control system security has gone from great to greater, according to a 2023 ICS/OT Cybersecurity Survey led by the SANS Institute, a group that specializes in infosec training and education, which received more than 700 responses from security professionals at industry verticals like energy, chemical and water management. 44% of respondents considered the current cybersecurity threats against industrial control systems “high,” compared to 41% in 2022, 40% in 2021, and 38% in 2019.
A security to-do list protecting critical infrastructure, however, requires a dedicated staff to implement it, not just one IT pro in the room, Ashley Johnson, senior policy analyst for the Information Technology and Innovation Foundation, a DC-based think tank, told IT Brew.
“Which is, unfortunately, what you run into in a lot of situations, especially once you drill down all the way to local government, where there’s just not a very big budget to spend on cybersecurity,” Johnson said.