Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Environmentalists and policymakers warn water treatment plants are ripe for attack.

Industrial controls governing water-related U.S. critical infrastructure are woefully under-estimated as cyberattack targets. The potential for attack, say policymakers, is too great to ignore with consequences potentially devastating to populations.

On Wednesday, the Center on Cyber and Technology Innovation (CCTI) and the Cyberspace Solarium Commission (CSC 2.0) released policy statements based on a recent panel discussion titled “Strengthening the Cybersecurity of American Water Utilities.”

Water may be the greatest vulnerability in our national infrastructure, said Samantha Ravich, chair of CCTI. Much of the problem lies in just how decentralized water systems are, she explained.

“Each of these systems operates in a unique threat environment, often with limited budgets and even more limited cybersecurity personnel to respond to these threats,” she said. “Conducting federal oversight of, and providing sufficient federal assistance to, such a distributed network of utilities is inherently difficult.”

Panelists included representatives from government and environmental agencies, including the Environmental Protection Agency (EPA), American Water Works Association and congresspersons within the United States House of Representatives.

Panelists asserted that protecting critical water infrastructure systems from cyberattack were a greater imperative versus healthcare and the power grid, which includes nuclear facilities.

Ravich pointed out, the U.S. has around 52,000 drinking water and 16,000 wastewater systems. “Each of these systems operates in a unique threat environment, often with limited budgets and even more limited cybersecurity personnel to respond to these threats,” she said.

Water treatment plants are a ripe target because the majority of them serve smaller communities of fewer than 50,000 residents. That often forces budget-challenged federal, state and municipalities to make hard choices when it comes to what gets cybersecurity funding at the local level.

“Conducting federal oversight of, and providing sufficient federal assistance to, such a distributed network of utilities is inherently difficult,” she said.

In an opening remark, Congressman Jim Langevin (D-RI), brought the issue home.

“The water sector should generate serious concern,” he stated. He added, because “known and unknown cyber actors are attempting to compromise both information technology and operational technology assets at water treatment facilities.”

Langevin cited a cyberattack on critical water infrastructure that occurred in 2021 when a water treatment plant in Oldsmar, Florida was attacked. In that incident, a hacker broke into the IT system of Oldsmar’s water treatment plant and remotely accessed the computer system.

“[The plant] operator observed the mouse moving around on the screen to access various systems that control the water being treated,” according to reports. The hacker tried poisoning the supply, by adjusting sodium hydroxide levels from 100 parts per million to 11,100. Because the plant operator observed what was going on, the attack was thwarted in time.

What if the plant hadn’t allocated adequate time and money to cybersecurity? Oldsmar, Langevin assessed, “demonstrated that under investments in water sector cybersecurity could lead to disaster.”

Fixing “under investments” in water security won’t be so straightforward. Langevin highlighted how utilities providers often lack the resources to meet regulatory guidelines instituted by organizations like the EPA. And the EPA, for its part, “faces challenges in meeting its responsibilities when it comes to the day-to-day relationship between the federal government and their water sector.”

“Knowing what we know about the cyber threats facing the water sector,” Langevin concluded. “This status quo simply cannot continue. The risks are too great. So we need to raise the bar among water utilities across the country, build a capacity and strengthen adherence to industry-wide standards. And we need to ensure that the EPA is appropriately resourced and empowered to fulfill its critical mission as a sector risk management agency for water.”

The full panel discussion can be found on YouTube.

Panelists included representatives from government and environmental agencies, including the Environmental Protection Agency (EPA), American Water Works Association, and the United States House of Representatives.

Sabre and Travelport had to report the weekly activities of former “Cardplanet” cybercriminal Aleksei Burkov for two years, info that eventually led to his arrest and prosecution.

Rob Gurzeev, CEO and Co-Founder of CyCognito, explores external attack surface soft spots tied to an ever-expanding number of digital assets companies too often struggle to keep track of and manage effectively.

A government-aligned attacker tried using a Microsoft vulnerability to attack U.S. and E.U. government targets.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Join thousands of people who receive the latest breaking cybersecurity news every day.

Rob Gurzeev, CEO and Co-Founder of @CyCognito, explores external attack surface soft spots tied to an ever-expandin… https://t.co/M15oIfnaeI

Get the latest breaking news delivered daily to your inbox.

The First Stop For Security News

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.