TECH: Are water utilities a target for hackers?
|Photo by Getty Images courtesy bbc.co.uk|
Earlier this month, an Illinois water utility confirmed it was the victim of an apparent cyber attack which led to the failure of one of its pumps. While Chicago’s ABC affiliate reports that Federal authorities had not yet confirmed the details, the utility said foreign hackers gained control of the equipment using its computer system’s remote access.
UPDATE 2011 12/1: The DHS and FBI reported this evening that they have found no evidence of hacking.
UPDATE 2011 12/2: Wired ran a very detailed account of the “comedy of errors” that led to the original report.
It could be the first example of a cyber attack on a public utility, according to WLS-TV, but Northeast Ohio Regional Sewer District officials are well aware that it would not be the last.
“This is an identified vulnerability nationally,” said Jim Davidson, Safety and Security Manager, “not only for the water sector but for most of critical infrastructure including chemical, energy and transportation.”
Many utilities, including the Sewer District, use a Supervisory Control and Data Acquisition (SCADA) system to manage controls such as regulators and pumps remotely. That automation does not come without risks, according to Director of Information Technology Humberto Sanchez, and the Sewer District constantly reviews safety measures to protect its assets, employees, and the public.
“We conduct security assessments to validate how effective our security configurations and procedures are,” Sanchez said, “because hackers and viruses have grown more sophisticated.”
Davidson said both the hardware and the management of it are critical to maintain proper security. “Our physical security steps include installing and maintaining firewalls and screening networks for viruses. Procedurally, we restrict remote access and protect critical data through backups and storage in safe places.”
There are other measures—some of which have been in place for years—by which the Sewer District further protects its system and infrastructure from “accidental impact or malicious intent,” according to Plant Automation Engineer Scott Sander.
“It’s an ongoing and growing responsibility,” Sanchez added.