EPA Watchdog Finds Security Lapses in Remote Controls for Water Systems
WASHINGTON Water utilities have installed computer-based remote controls "with little attention paid to security," leaving valves, pumps and chemical mixers for water supplies vulnerable to cyber-attack, according to an Environmental Protection Agency report.
In a report Monday, the EPA's inspector general cited costs, lack of ability to check employees' backgrounds and poor communication between technical engineers and management for the shortcomings.
The computer-based controls were "developed with little attention paid to security, making the security of these systems often weak," the report says. As a result, many of the Supervisory Control and Data Acquisition networks used by water agencies to collect data from sensors and control equipment such as pumps and valves "may be susceptible to attacks and misuse."
The danger is illustrated by an attack on an Australian waste management system in 2000, the report says. An engineer who had worked for the contractor that supplied the remote control equipment for the system used radio telemetry to gain unauthorized access and dump raw sewage into public waterways and the grounds of a hotel.
EPA Inspector General Nikki L. Tinsley urged EPA to find out what is keeping specific water utility operators from making the systems secure, and to develop federal security measures that could be used to correct the problems.
EPA officials in the Office of Research and Development and the Office of Water did not submit written responses to the inspector general, as federal agencies usually do.
Tinsley notes that EPA spent $250,000 in 2002 to pay for research into how to improve security for computerized and automated systems and that the Homeland Security Department began focusing on protections for the networks only last May.
In September, Benjamin Grumbles, EPA's water chief, told a House Energy subcommittee the Bush administration "worked diligently" to improve security of water facilities including 54,000 community drinking water systems and 16,000 public wastewater treatment plants.
The National Research Council, reviewing EPA's plan for improving water system protection, also has cited a need for more attention to security in designing the networks, and for heading off potential internal threats such as actions by a disgruntled employee
Source: Associated Press