With the potential gutting/further defunding of EPA and other federal regulatory agencies. My money says there will be no action taken until an actual security incident occurs. Administrations don’t care about the long term health of the country, only what they can do in 4 year spans.
Cybersecurity is unfortunately not “sexy” enough for the common American voter to get behind.
Because it was being addressed before the defunding? I mean... clearly not. They haven't been defunded yet.
The issue is unlikely to be money, nor is it likely to be technical. If throwing ever-increasing amounts of money at the problem isn't fixing it, maybe it isn't all that crazy to try the opposite.
There has actually been a lot of investment in this area, especially in the last few years.
Cyber is seen as a risk and most municipal utilities and auditors are treating it as such. The private companies… not so much unless there’s a clear financial benefit or mandate.
Republican lawmakers and the water industry sued the EPA saying it would be too expensive to secure water systems.
> In a statement to Recorded Future News, an EPA spokesperson confirmed that the memorandum – handed down in March – was being withdrawn due to lawsuits filed by attorneys general in the States of Missouri, Arkansas, and Iowa as well as industry groups American Water Works Association (AWWA) and National Rural Water Association (NRWA).
There is no point in trying to solve what there is no will to solve. Less money, more money, they just don’t want to have to do it or be liable.
> Cybersecurity is unfortunately not “sexy” enough for the common American voter to get behind.
Government info-sec jobs suck too. Crap pay, red tape, onsite only. Also, alot of security people have ethics surrounding privacy, data security, etc. Why work for a culture that spies on its own citizens, its allies, and engages in global terrorism? The NSA can attract some decent mathematical minds but lacking on the security front.
> Why work for a culture that spies on its own citizens, its allies, and engages in global terrorism?
If you're working government info-sec for drinking water systems, it's going to be mostly for municipal water systems, often agencies that are a similar geographic scope as counties or cities but sometimes independent from them. Water districts aren't spying much (unless you have strong feelings about water meters, or lawn watering restrictions), and they rarely take part in acts of violence outside the districts they serve and the sources of their water.
Some of these systems are private companies, and who knows about ethics there, sure.
Somehow I doubt the security posture was magnificent even before the defunding. This kind of thing is usually a simple checklist item for companies let alone government agencies.
I think it is safe to say that few if anyone actually understands the common American voter and what they actually care about. Anecdotally, the prevalence of cyber-security plot points in action thriller movies/games/books indicates that there is at least some awareness of the threat.
My core question is, why? I understand that security can be difficult, but why is infrastructure that is able to operate effectively for many decades before micro controllers were even a thing vulnerable to remote attacks.
I get having monitoring systems for it that are accessible in a way they could be hacked and disrupted, but why is the core operational infrastructure that way? Command and control should be isolated and be using 50-70 pneumatic tech to control it. Building in such a way to allow it to be disrupted remotely is the core problem here.
A water treatment plant would need about 2 people to a shift (and 4 sets of people) to have 24/7 monitoring (one to watch the control screens, and one to handle tasks like running tests on water, handling deliveries, etc., that takes you away from the screens), and that basically doesn't change if you're a small facility making 10KGD of water or a large facility making 100MGD of water. There is serious economy of scale going on here.
If you're a small facility servicing a few thousand people, you can't afford to have that kind of monitoring, and so you have to economize in various ways. One of the popular ways is pooling together with other small facilities so that you have one person doing that monitoring for several sites at once, which requires some form of remote operation.
Furthermore, when I worked at a large water company, all of our network, even the telemetry to the various pumping stations dotted around the service area, was on a private network airgapped from the internet. But there's also economy of scale here; a large company servicing 1.5 million people in a large metropolitan area can afford to do custom fiber backhaul in a way that even a bunch of small companies in the rural Midwest cannot, and so the control systems end up being Internet-accessible because it's too expensive for them not to be.
I understand that monitoring and status is reasonable to optimize for cost and this comes with some tradeoffs. Loss of monitoring should not equal a loss if service not unless that monitoring is off line for an extended period.
The actual functional control for ensuring a critical service like water is working should remain as an analog computer with something like pneumatics, or other such technology. These are robust and can continue to operate even when electronic circuits have failed.
Loss of visibility, and loss of service should be separated. This should be the same even for power stations as well.
Small cities are quite willing to economize even if it means X risk some attacker will muck with the system.
But the thing I'd take issue is the "can't afford it" part.
Of course these cities could afford onsite worker. As gp pointed out, these districts operated long before the Internet and they could provide water then. But the neoliberal paradigm has appeared and suddenly the constant claim is no organization "can afford" not to do any given automation measure, no matter how illogical or dangerous. And so a key thing calling organizations on this baloney.
> I get having monitoring systems for it that are accessible in a way they could be hacked and disrupted
Actually it’s very easy to isolate that part. One way network equipments with physical isolation have existed for decades. An optic fibre with only an emitter on one side and only a receiver on the other will do the trick.
It is cheaper, your product takes fewer people to operate, you can outsource the operations, if you deliver IoT solutions you get to call yourself a tech company which gets you valued at 30x earnings instead of 10x earnings, getting hacked does not affect your stock price, and the actual effect of getting hacked is actually minor because you get hacked by the functional equivalent of Dr. Evil who takes down water for millions of people or cripples a billion dollar business, then asks for the staggering sum of 1… million dollars.
It’s probably necessary for something along the lines of requiring a licensed engineer to sign off on these systems if private companies are going to manage critical infrastructure.
Indeed, and the regulatory standards get really specific about what hardware can even be installed in some locations.
Also, due to past shenanigans with vendor lock-in schemes the Engineering Managers often have a valid concern for cryptographic/locked infrastructure and maintenance cycles. Ironically, right-to-repair legislation may slowly improve the situation.
It is not a technical problem, but a bureaucratic one =3
I think it'd be a shame if engineers were the ones to make the decision in this case. The decision needs to be made by people with a more serious understanding of risk and fragility, like the military generals, and especially by the people who will bear both the upsides and downsides of the decision, a.k.a. the local community who will be consuming the water.
This is one of the few areas where rural living is better, in my experience.
Our water, power, and Internet are all delivered by local co-ops. We actually do get a direct say in how the money is spent on our infrastructure.
It's one of the reasons why I have fiber Internet whereas the closest town (managed by for profit entity) is still fighting to roll it out years after we had ours run to us.
I also got reimbursed by the co-op for the water line to my house when we built the place.
I also lobbied the power board to prioritize tree removal near lines for a more reliable service.
Do computer and software engineers stamp their drawings
And reports? I’ve only seen electrical civil and mechanical drawings stamped, but that is who is involved in hydro electric.
Now is a good time to prep. Get a few food grade 55 gallon drum - you can usually find them at food/restaurant supply stores or people trying to get rid of them on craigslist/fb market. Get a dolly so you can move them around your garage or basement. Just need a few teaspoons of bleach to keep it good for ~ 6 months. If your washer is in your basement, you can disconnect the cold line to fill up the drums, or you can run a garden hose. They also make kitchen faucet to garden hose attachments. When you need to drain it, a cheap transfer or sump pump will do the job.
Speaking as someone who has the entirety of my heat for this winter stacked up in totes, prepping by storing bulk materials is not really something to be done lightly. Unless you turn this DIY water buffer into something you use in your every day life (ie thirsty? time to go to the basement to get a glass of water), you will get bored of maintaining it long before the municipal water supply fails.
Also 55 gallons of water is ~450lbs, so it's not going to be terribly easy to move with an [appliance] dolly. You probably want pallets and a pallet jack (and a smooth concrete floor).
Personally I'd suggest getting an RO filter for your every day drinking water needs, and setting up a rain barrel collection that you can routinely use for outdoor garden/plants. Then if you suddenly need drinking water, you should be good just boiling the rain water. And if there is some large scale catastrophe with some kind of chemical/radiological contaminant in the rain, you can run it through the RO.
I can also drain it in < 5 mins with a cheap siphon (I let it drain into a sump basin). So swapping it out every few months is easy.
But I agree, a RO filter is great, esp for everyday use.
One concern I have with rain water barrel is how its collected. If you have an asphalt roof, there is some nasty stuff in it, and not sure if boiling helps in that situation. Need to do more research there. But its a great idea for watering a garden/yard.
Who needs cybersecurity risks when you have an incoming republican administration hellbent on gutting regulations to the benefit of industry, a SCOTUS bending over backwards to help them do it (stare decisis? What’s that?), and a HHS secretary nominee who wants to singlehandedly trigger the next pandemic or two.
RFK isn't going to trigger a pandemic; don't be ridiculous. Pandemics aren't caused by individuals.
But, similar to not having any smoke detectors in your home when something catches fire at night, being in a pandemic with him running the health agency is not going to turn out well for you.
Why do the water systems need to be connected to the internet at all? If the systems are completely disconnected from the internet there shouldn't be much cybersecurity risk. Of course there still needs to be proper precautions to prevent a Stuxnet type worm getting through.
Yeah I never understand all these systems being connected at all. I understand remote working and monitoring, but is that worth it for something that is the most crucial part of society?
Readit News
Cybersecurity is unfortunately not “sexy” enough for the common American voter to get behind.
The issue is unlikely to be money, nor is it likely to be technical. If throwing ever-increasing amounts of money at the problem isn't fixing it, maybe it isn't all that crazy to try the opposite.
Cyber is seen as a risk and most municipal utilities and auditors are treating it as such. The private companies… not so much unless there’s a clear financial benefit or mandate.
> In a statement to Recorded Future News, an EPA spokesperson confirmed that the memorandum – handed down in March – was being withdrawn due to lawsuits filed by attorneys general in the States of Missouri, Arkansas, and Iowa as well as industry groups American Water Works Association (AWWA) and National Rural Water Association (NRWA).
There is no point in trying to solve what there is no will to solve. Less money, more money, they just don’t want to have to do it or be liable.
https://therecord.media/epa-says-litigation-from-republicans...
https://www.iowaattorneygeneral.gov/newsroom/attorney-genera...
https://content.govdelivery.com/attachments/IACIO/2023/04/18...
Government info-sec jobs suck too. Crap pay, red tape, onsite only. Also, alot of security people have ethics surrounding privacy, data security, etc. Why work for a culture that spies on its own citizens, its allies, and engages in global terrorism? The NSA can attract some decent mathematical minds but lacking on the security front.
If you're working government info-sec for drinking water systems, it's going to be mostly for municipal water systems, often agencies that are a similar geographic scope as counties or cities but sometimes independent from them. Water districts aren't spying much (unless you have strong feelings about water meters, or lawn watering restrictions), and they rarely take part in acts of violence outside the districts they serve and the sources of their water.
Some of these systems are private companies, and who knows about ethics there, sure.
I get having monitoring systems for it that are accessible in a way they could be hacked and disrupted, but why is the core operational infrastructure that way? Command and control should be isolated and be using 50-70 pneumatic tech to control it. Building in such a way to allow it to be disrupted remotely is the core problem here.
Just because you can, doesn't mean you should.
If you're a small facility servicing a few thousand people, you can't afford to have that kind of monitoring, and so you have to economize in various ways. One of the popular ways is pooling together with other small facilities so that you have one person doing that monitoring for several sites at once, which requires some form of remote operation.
Furthermore, when I worked at a large water company, all of our network, even the telemetry to the various pumping stations dotted around the service area, was on a private network airgapped from the internet. But there's also economy of scale here; a large company servicing 1.5 million people in a large metropolitan area can afford to do custom fiber backhaul in a way that even a bunch of small companies in the rural Midwest cannot, and so the control systems end up being Internet-accessible because it's too expensive for them not to be.
The actual functional control for ensuring a critical service like water is working should remain as an analog computer with something like pneumatics, or other such technology. These are robust and can continue to operate even when electronic circuits have failed.
Loss of visibility, and loss of service should be separated. This should be the same even for power stations as well.
Small cities are quite willing to economize even if it means X risk some attacker will muck with the system.
But the thing I'd take issue is the "can't afford it" part.
Of course these cities could afford onsite worker. As gp pointed out, these districts operated long before the Internet and they could provide water then. But the neoliberal paradigm has appeared and suddenly the constant claim is no organization "can afford" not to do any given automation measure, no matter how illogical or dangerous. And so a key thing calling organizations on this baloney.
Actually it’s very easy to isolate that part. One way network equipments with physical isolation have existed for decades. An optic fibre with only an emitter on one side and only a receiver on the other will do the trick.
They don't want to pay a 24/7 on-site ops center. They take their chances and bolt-on security, and that's how the incentives work today.
Also, due to past shenanigans with vendor lock-in schemes the Engineering Managers often have a valid concern for cryptographic/locked infrastructure and maintenance cycles. Ironically, right-to-repair legislation may slowly improve the situation.
It is not a technical problem, but a bureaucratic one =3
Our water, power, and Internet are all delivered by local co-ops. We actually do get a direct say in how the money is spent on our infrastructure.
It's one of the reasons why I have fiber Internet whereas the closest town (managed by for profit entity) is still fighting to roll it out years after we had ours run to us.
I also got reimbursed by the co-op for the water line to my house when we built the place.
I also lobbied the power board to prioritize tree removal near lines for a more reliable service.
Also 55 gallons of water is ~450lbs, so it's not going to be terribly easy to move with an [appliance] dolly. You probably want pallets and a pallet jack (and a smooth concrete floor).
Personally I'd suggest getting an RO filter for your every day drinking water needs, and setting up a rain barrel collection that you can routinely use for outdoor garden/plants. Then if you suddenly need drinking water, you should be good just boiling the rain water. And if there is some large scale catastrophe with some kind of chemical/radiological contaminant in the rain, you can run it through the RO.
I can also drain it in < 5 mins with a cheap siphon (I let it drain into a sump basin). So swapping it out every few months is easy.
But I agree, a RO filter is great, esp for everyday use.
One concern I have with rain water barrel is how its collected. If you have an asphalt roof, there is some nasty stuff in it, and not sure if boiling helps in that situation. Need to do more research there. But its a great idea for watering a garden/yard.
But, similar to not having any smoke detectors in your home when something catches fire at night, being in a pandemic with him running the health agency is not going to turn out well for you.
(It’s all about spin)
Of course, an example statistic like 99.9% of airline passengers surviving a flight is not all that great…