A new EPA report warns that water utilities have installed computer-based control systems "with little attention paid to security," leaving valves, pumps and chemical mixers vulnerable to cyber-attack.
In a report released yesterday, EPA's Inspector General Nikki L. Tinsley blamed the shortcomings on costs, lack of ability to check employees' backgrounds, and poor communication between technical engineers and management.
She also noted that although EPA spent $250,000 in 2002 to pay for research into how to improve security for computerized and automated systems, Homeland Security did not begin focusing on protecting the networks until May of 2004.
Benjamin Grumbles, EPA's assistant administrator for its Office of Water, said he agrees with the report's assessment that there is "a broad range of challenges" facing water utilities especially regarding wireless communications systems. But, he added, his office now has a plan for improvements.
"We are actively working to provide additional tools to communities to enhance cyber security, providing funding for information that would be placed on a secure web site by the fall, to help utilities be more aware of potential threats to their computer systems," Grumbles said yesterday.
The Office of Water also will get help from two sources: 1) the Homeland Security Department, on ways of dealing with cyber threats and 2) an advisory council, on how to help utilities measure their improvement.
The Supervisory Control and Data Acquisition (SCADA) networks often were "developed with little attention paid to security, making the security of these systems often weak," according to the report. As a result, many of the networks used to collect data from sensors and control equipment "may be susceptible to attacks and misuse."
An attack on an Australian waste management system in 2000 is one example of the danger, the report says. An engineer who had worked for the contractor supplying the systems SCADA equipment later gained access to cause a dump of raw sewage into public waterways and onto the grounds of a hotel.
In the report, Tinsley urged EPA to find out whats holding back specific water utility operators from making the systems secure. Tinsley also recommended the development of federal security measures that could be used to correct the problems.
The review by Tinsley's office was suspended after a meeting with Grumbles' office, which agreed to take action to address her concerns.
In September, Grumbles told a House Energy subcommittee that the Bush administration had "worked diligently" to improve security of water facilities including 54,000 community drinking water systems and 16,000 public wastewater treatment plants.