Utility computer systems susceptible to cyber attack, EPA inspector reports

In a Jan. 6 report released Monday, EPA Inspector General Nikki Tinsley pointed out that computer-based monitoring and control systems installed by water utilities "may be susceptible to attacks" by cyberterrorists...

Jan 14th, 2005

WASHINGTON, DC, Jan. 14, 2005 (Staff & Wire Reports) -- In a Jan. 6 report released Monday, EPA Inspector General Nikki Tinsley pointed out that computer-based monitoring and control systems installed by water utilities "may be susceptible to attacks" by cyberterrorists.

Benjamin Grumbles, acting assistant administrator in EPA's Office of Water, told the Seattle Post-Intelligencer that he agrees with the report's findings and has a plan for securing operating systems, particularly wireless communications systems.

The Homeland Security Department and the agency have been working together since May to research how to improve security of utilities' computerized systems. The agency spent $250,000 in 2002 to investigate related options.

The American Water Works Association also is hosting a Water Security Congress (www.awwa.org/conferences/congress/) in Oklahoma City on April 10-12 to discuss issues raised by the report and industry alternatives.

A summary of the EPA Office of the Inspector General report posted to the OIG website follows:

EPA Needs to Determine What Barriers Prevent Water Systems from Securing Known SupervisoryControl and Data Acquisition (SCADA) Vulnerabilities

Why We Did This Review
Federal Directives highlighted the need to secure cyberspace, including SCADA, from terrorists and other malicious actors, and stated that securing SCADA is a national priority. We learned from stakeholder contacts that utilities may require assistance in order to secure their SCADA system vulnerabilities.

Background
SCADA is a technology that allows a user to collect data from sensors and control equipment, such as pumps and valves, from a remote location. SCADA is commonly used in many industries, including water utility operations.

We suspended our SCADA project because EPA agreed to incorporate our concerns into an Agency SCADA project. At EPA's request, we briefed the Agency on our preliminary research and prepared this briefing report.

What We Found
SCADA networks were developed with little attention paid to security. As a result, many SCADA networks may be susceptible to attacks and misuses. Furthermore, studies indicated that some water utilities may have spent little time and money securing their SCADA systems.

Some areas and examples of possible SCADA vulnerabilities include operator errors and corruption, unsecured electronic communications, hardware and software limitations, physical security weaknesses, natural disasters, poorly written software, and poor security administration. Vulnerabilities may allow a person of malicious intent to cause significant harm. For example, in 2000, an engineer used radio telemetry to gain unauthorized access into an Australian waste management system and dump raw sewage into public areas. In another example, a contractor conducting a utility water assessment stated that he was able to access the utility's network from a remote location within minutes and could have caused significant harm.

Through preliminary research, we found several possible reasons why utilities have not successfully reduced or mitigated identified vulnerabilities. It is important to note that this list is not in any way expected to be exhaustive of what a full study may reveal. Specifically:
-- Current technological limitations may impede implementing security measures.
-- Companies may not be able to afford or justify the required investment.
-- Utilities may not be able to conduct background checks on existing employees.
-- Officials may not permit SCADA penetration testing.
-- Technical engineers may have difficulty communicating security needs to management.

To better enable water systems to secure their SCADA systems, we suggest that EPA identify impediments preventing water systems from successfully reducing or mitigating SCADA vulnerabilities, and take steps to reduce those impediments.

If EPA identifies a problem with no apparent solution, the Agency should communicate this problem to the Department of Homeland Security, Congress, and others as appropriate. We also suggest that EPA develop SCADA security measures to track the effectiveness of security efforts.

To view the full report, click on the following link: www.epa.gov/oig/reports/2005/
20050106-2005-P-00002.pdf.

***

NOTE: Some information in this report was drawn from a Jan. 11 Greenwire article on the topic.

###

More in Technologies
Ww Wpro19 Badger Jacob Jaspersen 815135414
Flow / Level / Pressure Measurement
WaterPro 2019: Badger Meter

Badger's Jacob Jaspersen discusses how IoT technologies are enabling water utilities to do more with less.

Oct 1st, 2019
De Nora News
Treatment
De Nora inaugurates new $29M manufacturing plant in Mentor, Ohio

Energy- and water-efficient facility makes electrodes used to produce chlorine for water disinfection.

Sep 27th, 2019
Laboratory 2815640 640
Potable Water Quality
EPA awards $6M to research potential environmental impacts of PFAS waste streams

Research will expand the understanding of the environmental risks posed by per- and poly-fluoroalkyl substances (PFAS) in waste streams and identify practical approaches to manage the potential impacts as PFAS enters the environment.

Sep 17th, 2019
Image by Michelle Maria from Pixabay
Infrastructure Funding
Digital water company 120WaterAudit secures $7M Series A funding

HG Ventures, Allos Ventures, Greenhouse Capital invest in water program management software platform to fuel product innovation and hiring.

Sep 17th, 2019
A wastewater treatment plant in Florida uses Beck Actuators on waste activated sludge (WAS) valves in both modulating and open/close service, as well as other areas throughout its treatment process.
Pumps
Extending the Actuator Life Cycle

Given the high demand and harsh weather conditions affecting many water treatment plants, it is especially important that modern water treatment plants utilize actuators that provide dependable control day in and day out without breakdowns.

Sep 14th, 2019
Mutag BioChip ™ without biofilm.
Filtration
MBBR Carrier Media: How Much Do I Really Need?

The basic and correct way to determine the required amount of MBBR carrier media in a wastewater treatment application depends on the organic load that needs to be removed, which is directly influenced by the flow rate, influent and effluent concentration

Sep 14th, 2019
Emmons Employees Pictured Left to Right: Beth Lounsbury, Drew Fox, Trent Emmons, Chris Roloson, Kim Emmons, Logan Geurtze, Nick Robinson, Ryan Frank, Eric Bashford.
Pumps
Metropolitan Industries acquires Emmons Pump & Control

Emmons Pump & Control, based in Albany, NY, has been a leading pump supplier in upstate New York for almost 30 years.

Sep 12th, 2019
Outdoors 3290142 640
Potable Water Quality
EPA, Federal Partners announce winners of Water Quality Challenge

This year’s winners demonstrated how data from low cost water quality monitoring sensors can be used to inform local-scale nutrient management decisions.

Sep 9th, 2019
Ball 63527 640
Utilities
Servelec Technologies completes acquisition of Primayer

The two businesses will be combined under the leadership of David Frost, MD of Servelec Technologies.

Sep 9th, 2019
Hawk Flo Corp Merger Logo
Flow / Level / Pressure Measurement
HAWK Measurement America, Flo-Corp Announce Merger

Combined company will provide innovative measurement technologies and cloud-based monitoring, producing a complete smart system solution.

Sep 6th, 2019