[ISN] Report: Water systems' security lapses

InfoSec News isn at c4i.org
Wed Jan 12 10:40:05 EST 2005


January 11, 2005

WASHINGTON (AP) -- Water utilities have installed computer-based
remote controls "with little attention paid to security," leaving
valves, pumps and chemical mixers for water supplies vulnerable to
cyber-attack, according to an Environmental Protection Agency report.

In a report Monday, the EPA's inspector general cited costs, lack of
ability to check employees' backgrounds and poor communication between
technical engineers and management for the shortcomings.

Benjamin Grumbles, EPA's water chief, said Monday he agrees with the
report's assessment that there are "a broad range of challenges"  
facing water utilities, particularly with wireless communications
systems, but that his office now has a plan for making improvements.

"We are actively working to provide additional tools to communities to
enhance cyber security, providing funding for information that would
be placed on a secure web site by the fall, to help utilities be more
aware of potential threats to their computer systems," Grumbles said.

His office also is getting help, he said, from the Homeland Security
Department on ways of dealing with cyber threats and from an advisory
council on how to help utilities measure their improvement.

The computer-based controls were "developed with little attention paid
to security, making the security of these systems often weak," the
report says. As a result, many of the Supervisory Control and Data
Acquisition networks used by water agencies to collect data from
sensors and control equipment such as pumps and valves "may be
susceptible to attacks and misuse."

The danger is illustrated by an attack on an Australian waste
management system in 2000, the report says. An engineer who had worked
for the contractor that supplied the remote control equipment for the
system used radio telemetry to gain unauthorized access and dump raw
sewage into public waterways and the grounds of a hotel.

EPA Inspector General Nikki L. Tinsley urged EPA to find out what is
keeping specific water utility operators from making the systems
secure, and to develop federal security measures that could be used to
correct the problems.

The review by Tinsley's office was suspended after a meeting with
Grumbles' office, which agreed to incorporate her concerns into its

Tinsley notes that EPA spent $250,000 (euro190,800) in 2002 to pay for
research into how to improve security for computerized and automated
systems and that Homeland Security began focusing on protections for
the networks only last May.

In September, Grumbles told a House Energy subcommittee that the Bush
administration had "worked diligently" to improve security of water
facilities including 54,000 community drinking water systems and
16,000 public wastewater treatment plants.

The National Research Council, reviewing EPA's plan for improving
water system protection, also has cited a need for more attention to
security in designing the networks, and for heading off potential
internal threats such as actions by a disgruntled employee.

More information about the ISN mailing list