Amid multiple recent reports of hackers breaking into and tampering with drinking water treatment systems comes a new industry survey with some sobering findings: A majority of the 52,000 separate drinking water systems in the United States still haven’t inventoried some or any of their information technology systems — a basic first step in protecting networks from cyberattacks.
The Water Sector Coordinating Council surveyed roughly 600 employees of water and wastewater treatment facilities nationwide, and found 37.9 percent of utilities have identified all IT-networked assets, with an additional 21.7 percent working toward that goal.
The Council found when it comes to IT systems tied to “operational technology” (OT) — systems responsible for monitoring and controlling the industrial operation of these utilities and their safety features — just 30.5 percent had identified all OT-networked assets, with an additional 22.5 percent working to do so.
“Identifying IT and OT assets is a critical first step in improving cybersecurity,” the report concluded. “An organization cannot protect what it cannot see.”
It’s also hard to see threats you’re not looking for: 67.9 percent of water systems reported no IT security incidents in the last 12 months, a somewhat unlikely scenario.
Michael Arceneaux, managing director of the WaterISAC, said the survey shows much room for improvement and a need for support and resources.
“Threats are increasing, and the sector, EPA, CISA and USDA need to collaborate to help utilities prevent and recover from compromises,” Arceneaux said on Twitter.
While documenting each device that needs protection is a necessary first step, a number of recent cyberattacks on water treatment systems have been blamed on a failure to properly secur ..
Support the originator by clicking the read the rest link below.
