The Environmental Protection Agenegy warns that hackers are preparing to destroy state water facilities’ outdated systems. According to water security experts, hackers could damage our facilities’ digital infrastructure by adjusting chemical levels in the water supply, stopping the flow of water, or stopping the function of wastewater systems. There have been previous unsuccessful attempts to develop cyber security mandates, but those efforts received major pushback from states and water facilities. The EPA withdrew proposed binding requirements last year due to numerous state-filed lawsuits arguing that the rules would impose unbearable costs on its facilities to comply with the proposed regulations.
It goes without saying that our water management facilities are critical to our nation’s infrastructure, and with lower-level cyber-attacks already targeting water facilities there is fear that a more intricate and crippling attack is on the way. However, most water utility agencies do not know that their systems have already been compromised, meaning hackers have already gained access and are lying dormant until they are ready to attack. In February, the FBI stated that it has intervened on dormant, foreign-led hackers that were hiding in an American water system for at least five years. Late last year, after another foreign led cyber-attack, a Pennsylvania facility completely disabled the affected water controller. Finding dormant hackers is a difficult task, even with an investment in technologies to secure a facility’s system.
The EPA met with governors last month urging them to draw up new plans to deal with the looming risks facing their state’s water and wastewater systems. As a result, Arkansas Rep. Rick Crawford and California Rep. John Duarte proposed a bill that would create a governing body to develop cybersecurity mandates for water systems. This group would work alongside the EPA to enforce the new rules, but as history shows, any plans that do not include funding are sure to fail. Water facilities run on decades old equipment and industry-wide training on basic cyber protection is lacking – without significant funding to update systems and equipment, compliance will simply be unattainable for many facilities.
The attorneys at Chilivis Grubman advise clients of all types regarding cyber security issues. If you need help with such a matter, contact us today.