Critical Water Systems at Risk: Addressing the 70% Security Vulnerability

How safe is our drinking water? With increasing reliance on automated systems and remote access technologies, water treatment facilities are becoming prime targets for both cyber and physical attacks. Recent incidents have highlighted the vulnerabilities within these critical infrastructures, raising alarms about their security and resilience. Disturbingly, a significant portion of these facilities remains unprotected, putting public health at risk.

The Extent of Vulnerability

According to a recent enforcement alert from the EPA, approximately 70% of water treatment facilities are currently in violation of security standards, making them susceptible to potential attacks. This alarming statistic underscores the widespread vulnerability within the sector, which, if exploited, could lead to catastrophic consequences for millions of people relying on these systems for clean and safe drinking water​ (CISA)​​ (SourceSecurity)​

Notable Security Breaches

The increasing frequency of both cyber and physical security breaches at water treatment facilities is a growing concern:

1. Oldsmar, Florida (2021): In one of the most prominent recent incidents, hackers remotely accessed the Oldsmar water treatment plant's computer system and attempted to poison the water supply by increasing the level of sodium hydroxide. The attacker was only in the system for a few minutes, but the potential for harm was significant. Quick action by a vigilant operator averted a disaster, highlighting both the risk and the need for constant vigilance​ (SourceSecurity)​.

2. Kansas (2019): A former employee of a Kansas water treatment facility attempted to sabotage the water supply by using credentials that had not been revoked after his resignation. Although unsuccessful, this incident revealed how lapses in access control can be exploited to threaten public safety​ (CISA)​.

3. New Jersey (2020): Another case involved potential ransomware that compromised files at a New Jersey water treatment facility. Such attacks can disrupt operations and compromise the safety and quality of the water supply, demonstrating the need for robust cybersecurity measures​ (CISA)​.

The Broader Impact of Security Violations

These incidents are not isolated; they reflect a broader trend of increasing threats to critical infrastructure. Cybersecurity professionals have long warned about the vulnerabilities in our nation's water systems, emphasizing that both nation-state attackers and individual malicious actors pose significant threats. The transition to digital and automated systems, while beneficial for efficiency and control, has also expanded the attack surface for potential threats​ (SourceSecurity)​.

The National Security Perspective

The implications of these vulnerabilities extend beyond local communities. As seen in the Oldsmar incident, even a single successful attack can have far-reaching consequences, potentially affecting thousands of residents. U.S. Senator Marco Rubio highlighted this when he called the attempt to poison the water supply a "matter of national security," underscoring the urgent need for comprehensive security measures​ (SourceSecurity)​.

Conclusion

The security of our water treatment facilities is an issue of paramount importance. With 70% of these facilities currently failing to meet security standards, the risks posed by cyber and physical attacks are more significant than ever. Addressing these vulnerabilities requires a concerted effort to bolster both physical and cybersecurity measures, ensuring the safety and reliability of our water supply and protecting public health from those who would seek to cause harm.

For more information on the EPA's findings and the specific vulnerabilities of drinking water systems, visit the EPA's enforcement alert.

Training Resources:

For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.

• Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists

• Physical Audit Training - 2 day course on how to setup and run a physical security audit

• Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming

• Counter Elicitation - 2 day course on how to recognize and prevent elicitation attempts, and safegaurd your secrets.

• Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.

• Private Instruction - Focused learning & training based on your needs .