With the potential gutting/further defunding of EPA and other federal regulatory agencies. My money says there will be no action taken until an actual security incident occurs. Administrations don’t care about the long term health of the country, only what they can do in 4 year spans.
Cybersecurity is unfortunately not “sexy” enough for the common American voter to get behind.
Somehow I doubt the security posture was magnificent even before the defunding. This kind of thing is usually a simple checklist item for companies let alone government agencies.
Because it was being addressed before the defunding? I mean... clearly not. They haven't been defunded yet.
The issue is unlikely to be money, nor is it likely to be technical. If throwing ever-increasing amounts of money at the problem isn't fixing it, maybe it isn't all that crazy to try the opposite.
Republican lawmakers and the water industry sued the EPA saying it would be too expensive to secure water systems.
> In a statement to Recorded Future News, an EPA spokesperson confirmed that the memorandum – handed down in March – was being withdrawn due to lawsuits filed by attorneys general in the States of Missouri, Arkansas, and Iowa as well as industry groups American Water Works Association (AWWA) and National Rural Water Association (NRWA).
There is no point in trying to solve what there is no will to solve. Less money, more money, they just don’t want to have to do it or be liable.
> Cybersecurity is unfortunately not “sexy” enough for the common American voter to get behind.
Government info-sec jobs suck too. Crap pay, red tape, onsite only. Also, alot of security people have ethics surrounding privacy, data security, etc. Why work for a culture that spies on its own citizens, its allies, and engages in global terrorism? The NSA can attract some decent mathematical minds but lacking on the security front.
I think it is safe to say that few if anyone actually understands the common American voter and what they actually care about. Anecdotally, the prevalence of cyber-security plot points in action thriller movies/games/books indicates that there is at least some awareness of the threat.
My core question is, why? I understand that security can be difficult, but why is infrastructure that is able to operate effectively for many decades before micro controllers were even a thing vulnerable to remote attacks.
I get having monitoring systems for it that are accessible in a way they could be hacked and disrupted, but why is the core operational infrastructure that way? Command and control should be isolated and be using 50-70 pneumatic tech to control it. Building in such a way to allow it to be disrupted remotely is the core problem here.
A water treatment plant would need about 2 people to a shift (and 4 sets of people) to have 24/7 monitoring (one to watch the control screens, and one to handle tasks like running tests on water, handling deliveries, etc., that takes you away from the screens), and that basically doesn't change if you're a small facility making 10KGD of water or a large facility making 100MGD of water. There is serious economy of scale going on here.
If you're a small facility servicing a few thousand people, you can't afford to have that kind of monitoring, and so you have to economize in various ways. One of the popular ways is pooling together with other small facilities so that you have one person doing that monitoring for several sites at once, which requires some form of remote operation.
Furthermore, when I worked at a large water company, all of our network, even the telemetry to the various pumping stations dotted around the service area, was on a private network airgapped from the internet. But there's also economy of scale here; a large company servicing 1.5 million people in a large metropolitan area can afford to do custom fiber backhaul in a way that even a bunch of small companies in the rural Midwest cannot, and so the control systems end up being Internet-accessible because it's too expensive for them not to be.
It is cheaper, your product takes fewer people to operate, you can outsource the operations, if you deliver IoT solutions you get to call yourself a tech company which gets you valued at 30x earnings instead of 10x earnings, getting hacked does not affect your stock price, and the actual effect of getting hacked is actually minor because you get hacked by the functional equivalent of Dr. Evil who takes down water for millions of people or cripples a billion dollar business, then asks for the staggering sum of 1… million dollars.
> I get having monitoring systems for it that are accessible in a way they could be hacked and disrupted
Actually it’s very easy to isolate that part. One way network equipments with physical isolation have existed for decades. An optic fibre with only an emitter on one side and only a receiver on the other will do the trick.
It’s probably necessary for something along the lines of requiring a licensed engineer to sign off on these systems if private companies are going to manage critical infrastructure.
Indeed, and the regulatory standards get really specific about what hardware can even be installed in some locations.
Also, due to past shenanigans with vendor lock-in schemes the Engineering Managers often have a valid concern for cryptographic/locked infrastructure and maintenance cycles. Ironically, right-to-repair legislation may slowly improve the situation.
It is not a technical problem, but a bureaucratic one =3
I think it'd be a shame if engineers were the ones to make the decision in this case. The decision needs to be made by people with a more serious understanding of risk and fragility, like the military generals, and especially by the people who will bear both the upsides and downsides of the decision, a.k.a. the local community who will be consuming the water.
This is one of the few areas where rural living is better, in my experience.
Our water, power, and Internet are all delivered by local co-ops. We actually do get a direct say in how the money is spent on our infrastructure.
It's one of the reasons why I have fiber Internet whereas the closest town (managed by for profit entity) is still fighting to roll it out years after we had ours run to us.
I also got reimbursed by the co-op for the water line to my house when we built the place.
I also lobbied the power board to prioritize tree removal near lines for a more reliable service.
My rural "neighbors" pay more than 2x for electricity and don't have any water/sewer service. I live in a small town in a geographically large county that only has about 35,000 residents, so there may be differing ideas of rural at play.
We pay more, yes, but not 2x what the city people pay in the next county over. Maybe 1.2x or so. Obviously there is no sewer service, just septic tanks. That cost is minimal once they're installed. Install price was around 5k, and it costs $200 to have it pumped ever four or five years.
The definition of rural to me is around 12k residents in a county that is around 1000 square miles. That's the size of where we are. The largest town is around 3k people. Two counties over is a city of about 40k. The 3k town is part of our co-op, so they have fiber. The 40k had less than 15% on fiber the last I knew, but that was two years ago. Since then they haven't run anymore lines, but have added customers on their existing lines.
Now is a good time to prep. Get a few food grade 55 gallon drum - you can usually find them at food/restaurant supply stores or people trying to get rid of them on craigslist/fb market. Get a dolly so you can move them around your garage or basement. Just need a few teaspoons of bleach to keep it good for ~ 6 months. If your washer is in your basement, you can disconnect the cold line to fill up the drums, or you can run a garden hose. They also make kitchen faucet to garden hose attachments. When you need to drain it, a cheap transfer or sump pump will do the job.
With the potential gutting/further defunding of EPA and other federal regulatory agencies. My money says there will be no action taken until an actual security incident occurs. Administrations don’t care about the long term health of the country, only what they can do in 4 year spans.
Cybersecurity is unfortunately not “sexy” enough for the common American voter to get behind.
Somehow I doubt the security posture was magnificent even before the defunding. This kind of thing is usually a simple checklist item for companies let alone government agencies.
Because it was being addressed before the defunding? I mean... clearly not. They haven't been defunded yet.
The issue is unlikely to be money, nor is it likely to be technical. If throwing ever-increasing amounts of money at the problem isn't fixing it, maybe it isn't all that crazy to try the opposite.
Republican lawmakers and the water industry sued the EPA saying it would be too expensive to secure water systems.
> In a statement to Recorded Future News, an EPA spokesperson confirmed that the memorandum – handed down in March – was being withdrawn due to lawsuits filed by attorneys general in the States of Missouri, Arkansas, and Iowa as well as industry groups American Water Works Association (AWWA) and National Rural Water Association (NRWA).
There is no point in trying to solve what there is no will to solve. Less money, more money, they just don’t want to have to do it or be liable.
https://therecord.media/epa-says-litigation-from-republicans...
> Cybersecurity is unfortunately not “sexy” enough for the common American voter to get behind.
Government info-sec jobs suck too. Crap pay, red tape, onsite only. Also, alot of security people have ethics surrounding privacy, data security, etc. Why work for a culture that spies on its own citizens, its allies, and engages in global terrorism? The NSA can attract some decent mathematical minds but lacking on the security front.
I think it is safe to say that few if anyone actually understands the common American voter and what they actually care about. Anecdotally, the prevalence of cyber-security plot points in action thriller movies/games/books indicates that there is at least some awareness of the threat.
My core question is, why? I understand that security can be difficult, but why is infrastructure that is able to operate effectively for many decades before micro controllers were even a thing vulnerable to remote attacks.
I get having monitoring systems for it that are accessible in a way they could be hacked and disrupted, but why is the core operational infrastructure that way? Command and control should be isolated and be using 50-70 pneumatic tech to control it. Building in such a way to allow it to be disrupted remotely is the core problem here.
Just because you can, doesn't mean you should.
A water treatment plant would need about 2 people to a shift (and 4 sets of people) to have 24/7 monitoring (one to watch the control screens, and one to handle tasks like running tests on water, handling deliveries, etc., that takes you away from the screens), and that basically doesn't change if you're a small facility making 10KGD of water or a large facility making 100MGD of water. There is serious economy of scale going on here.
If you're a small facility servicing a few thousand people, you can't afford to have that kind of monitoring, and so you have to economize in various ways. One of the popular ways is pooling together with other small facilities so that you have one person doing that monitoring for several sites at once, which requires some form of remote operation.
Furthermore, when I worked at a large water company, all of our network, even the telemetry to the various pumping stations dotted around the service area, was on a private network airgapped from the internet. But there's also economy of scale here; a large company servicing 1.5 million people in a large metropolitan area can afford to do custom fiber backhaul in a way that even a bunch of small companies in the rural Midwest cannot, and so the control systems end up being Internet-accessible because it's too expensive for them not to be.
As others have said in more detail: cost. So they enable remote control to cut costs.
They don't want to pay a 24/7 on-site ops center. They take their chances and bolt-on security, and that's how the incentives work today.
It is cheaper, your product takes fewer people to operate, you can outsource the operations, if you deliver IoT solutions you get to call yourself a tech company which gets you valued at 30x earnings instead of 10x earnings, getting hacked does not affect your stock price, and the actual effect of getting hacked is actually minor because you get hacked by the functional equivalent of Dr. Evil who takes down water for millions of people or cripples a billion dollar business, then asks for the staggering sum of 1… million dollars.
> I get having monitoring systems for it that are accessible in a way they could be hacked and disrupted
Actually it’s very easy to isolate that part. One way network equipments with physical isolation have existed for decades. An optic fibre with only an emitter on one side and only a receiver on the other will do the trick.
Fiber still relies on electronic circuits. While they can be isolated network wise they are not immune to attacks in the way a pneumatic system is.
It’s probably necessary for something along the lines of requiring a licensed engineer to sign off on these systems if private companies are going to manage critical infrastructure.
Indeed, and the regulatory standards get really specific about what hardware can even be installed in some locations.
Also, due to past shenanigans with vendor lock-in schemes the Engineering Managers often have a valid concern for cryptographic/locked infrastructure and maintenance cycles. Ironically, right-to-repair legislation may slowly improve the situation.
It is not a technical problem, but a bureaucratic one =3
I think it'd be a shame if engineers were the ones to make the decision in this case. The decision needs to be made by people with a more serious understanding of risk and fragility, like the military generals, and especially by the people who will bear both the upsides and downsides of the decision, a.k.a. the local community who will be consuming the water.
This is one of the few areas where rural living is better, in my experience.
Our water, power, and Internet are all delivered by local co-ops. We actually do get a direct say in how the money is spent on our infrastructure.
It's one of the reasons why I have fiber Internet whereas the closest town (managed by for profit entity) is still fighting to roll it out years after we had ours run to us.
I also got reimbursed by the co-op for the water line to my house when we built the place.
I also lobbied the power board to prioritize tree removal near lines for a more reliable service.
My rural "neighbors" pay more than 2x for electricity and don't have any water/sewer service. I live in a small town in a geographically large county that only has about 35,000 residents, so there may be differing ideas of rural at play.
We pay more, yes, but not 2x what the city people pay in the next county over. Maybe 1.2x or so. Obviously there is no sewer service, just septic tanks. That cost is minimal once they're installed. Install price was around 5k, and it costs $200 to have it pumped ever four or five years.
The definition of rural to me is around 12k residents in a county that is around 1000 square miles. That's the size of where we are. The largest town is around 3k people. Two counties over is a city of about 40k. The 3k town is part of our co-op, so they have fiber. The 40k had less than 15% on fiber the last I knew, but that was two years ago. Since then they haven't run anymore lines, but have added customers on their existing lines.
Now is a good time to prep. Get a few food grade 55 gallon drum - you can usually find them at food/restaurant supply stores or people trying to get rid of them on craigslist/fb market. Get a dolly so you can move them around your garage or basement. Just need a few teaspoons of bleach to keep it good for ~ 6 months. If your washer is in your basement, you can disconnect the cold line to fill up the drums, or you can run a garden hose. They also make kitchen faucet to garden hose attachments. When you need to drain it, a cheap transfer or sump pump will do the job.