Utility computer systems susceptible to cyber attack, EPA inspector reports

In a Jan. 6 report released Monday, EPA Inspector General Nikki Tinsley pointed out that computer-based monitoring and control systems installed by water utilities "may be susceptible to attacks" by cyberterrorists...

Jan 14th, 2005

WASHINGTON, DC, Jan. 14, 2005 (Staff & Wire Reports) -- In a Jan. 6 report released Monday, EPA Inspector General Nikki Tinsley pointed out that computer-based monitoring and control systems installed by water utilities "may be susceptible to attacks" by cyberterrorists.

Benjamin Grumbles, acting assistant administrator in EPA's Office of Water, told the Seattle Post-Intelligencer that he agrees with the report's findings and has a plan for securing operating systems, particularly wireless communications systems.

The Homeland Security Department and the agency have been working together since May to research how to improve security of utilities' computerized systems. The agency spent $250,000 in 2002 to investigate related options.

The American Water Works Association also is hosting a Water Security Congress (www.awwa.org/conferences/congress/) in Oklahoma City on April 10-12 to discuss issues raised by the report and industry alternatives.

A summary of the EPA Office of the Inspector General report posted to the OIG website follows:

EPA Needs to Determine What Barriers Prevent Water Systems from Securing Known SupervisoryControl and Data Acquisition (SCADA) Vulnerabilities

Why We Did This Review
Federal Directives highlighted the need to secure cyberspace, including SCADA, from terrorists and other malicious actors, and stated that securing SCADA is a national priority. We learned from stakeholder contacts that utilities may require assistance in order to secure their SCADA system vulnerabilities.

Background
SCADA is a technology that allows a user to collect data from sensors and control equipment, such as pumps and valves, from a remote location. SCADA is commonly used in many industries, including water utility operations.

We suspended our SCADA project because EPA agreed to incorporate our concerns into an Agency SCADA project. At EPA's request, we briefed the Agency on our preliminary research and prepared this briefing report.

What We Found
SCADA networks were developed with little attention paid to security. As a result, many SCADA networks may be susceptible to attacks and misuses. Furthermore, studies indicated that some water utilities may have spent little time and money securing their SCADA systems.

Some areas and examples of possible SCADA vulnerabilities include operator errors and corruption, unsecured electronic communications, hardware and software limitations, physical security weaknesses, natural disasters, poorly written software, and poor security administration. Vulnerabilities may allow a person of malicious intent to cause significant harm. For example, in 2000, an engineer used radio telemetry to gain unauthorized access into an Australian waste management system and dump raw sewage into public areas. In another example, a contractor conducting a utility water assessment stated that he was able to access the utility's network from a remote location within minutes and could have caused significant harm.

Through preliminary research, we found several possible reasons why utilities have not successfully reduced or mitigated identified vulnerabilities. It is important to note that this list is not in any way expected to be exhaustive of what a full study may reveal. Specifically:
-- Current technological limitations may impede implementing security measures.
-- Companies may not be able to afford or justify the required investment.
-- Utilities may not be able to conduct background checks on existing employees.
-- Officials may not permit SCADA penetration testing.
-- Technical engineers may have difficulty communicating security needs to management.

To better enable water systems to secure their SCADA systems, we suggest that EPA identify impediments preventing water systems from successfully reducing or mitigating SCADA vulnerabilities, and take steps to reduce those impediments.

If EPA identifies a problem with no apparent solution, the Agency should communicate this problem to the Department of Homeland Security, Congress, and others as appropriate. We also suggest that EPA develop SCADA security measures to track the effectiveness of security efforts.

To view the full report, click on the following link: www.epa.gov/oig/reports/2005/
20050106-2005-P-00002.pdf.

***

NOTE: Some information in this report was drawn from a Jan. 11 Greenwire article on the topic.

###

More in Technologies
Wastewater treatment 4.0
Sponsored
Wastewater treatment 4.0
Jun 14th, 2019
Pipeweb
Distribution
Brown and Caldwell begins work on Allen-McColloch Pipeline rehab for Metropolitan Water District of Southern California
Aug 8th, 2019
Puraffinity Logo
Filtration
Customem changes name to Puraffinity
Aug 5th, 2019
20190708 121345
Utilities
AVT, R2M deliver AVT EZ Valve™ Kits to first UK water company customer
Aug 2nd, 2019
Ami Smart Meter
Asset Management
Moulton Niguel awarded $1.5M for smart meter program
Aug 2nd, 2019
Images
Treatment
Advanced Drainage Systems acquires Infiltrator Water Technologies
Aug 1st, 2019
375 250 Wplretrofit
Wastewater
WPL awarded retrofit wastewater contract for United Utilities
Jul 31st, 2019
Echologics® ePulse® acoustic technology.
Utilities
Listening for Leaks
Jul 1st, 2019
“Sussey,” a sewage-sniffing dog, signals a found scent through intense eye contact with his handler, Middle Susquehanna Riverkeeper Carol Parenzan. Photos courtesy of Middle Susquehanna Riverkeeper Association Inc./Ann Nowaskie.
Flow / Level / Pressure Measurement
Sniffing Out Leaks Along the Susquehanna
Alanna Maya
Jul 1st, 2019
Safford Az Gila Valley Nr Hero Image
Distribution
Safford, Ariz. establishes smart utility network
Jul 30th, 2019