Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label water supply. Show all posts
water system security
Cyber Hackers Cyber Security cybersecurity risks data security digital safety Environment IRGC Operational Technology water supply water system security

EPA Report Reveals Cybersecurity Risks in U.S. Water Systems

 

A recent report from the Environmental Protection Agency (EPA) revealed that over 70% of surveyed water systems have failed to meet key cybersecurity standards, making them vulnerable to cyberattacks that could disrupt wastewater and water sanitation services across the United States. 

During inspections, the EPA identified critical vulnerabilities in numerous facilities, such as default passwords that had never been updated from their initial setup. In response, the agency issued an enforcement alert, urging water system operators to improve their cybersecurity measures. Recommended actions include conducting an inventory of operational assets, implementing cybersecurity training programs, and disconnecting certain systems from the internet to enhance security. 

The EPA has announced plans to increase inspections of water infrastructure and, when necessary, take civil and criminal enforcement actions to address any imminent and substantial threats to safety. Under Section 1433 of the Safe Water Drinking Act, community water systems serving over 3,300 people are required to perform comprehensive safety assessments and update their emergency response plans every five years. 

The high failure rate reported by the EPA indicates potential violations of this section, highlighting missed opportunities to protect these essential services through risk and resilience evaluations. This alert follows a series of cyber incidents over the past year, where nation-state hackers and cybercriminal groups have targeted water systems. These attacks have included unauthorized access to water treatment control systems, manipulation of operational technology, and other forms of sabotage. The regulatory environment for U.S. water systems is complex, often involving state and local government oversight.

Many rural water operators, unlike their federal counterparts, lack sufficient resources to bolster their digital defenses. While the EPA has attempted to enforce stricter security mandates, these efforts have faced legal challenges from GOP-led states and industry groups. In October, the EPA rescinded a directive that would have required water providers to assess their cybersecurity measures during sanitation surveys. Nation-state adversaries, including Chinese and Iranian hacking groups, have frequently breached U.S. water infrastructure. 

China's Volt Typhoon group has been particularly active, infiltrating critical infrastructure and positioning themselves for further attacks. In one instance, Iranian Revolutionary Guard Corps-backed hackers targeted industrial water treatment systems, and more recently, Russia-linked hackers breached several rural U.S. water systems, posing significant safety risks. In March, the EPA and the National Security Council issued a joint alert, urging states to remain vigilant against cyber threats targeting the water sector. The alert emphasized that drinking water and wastewater systems are attractive targets for cyberattacks due to their critical role and often limited cybersecurity capabilities. 

Moreover, a Federal Energy Regulatory Commission (FERC) official recently testified about the vulnerability of dam systems to cyberattacks, indicating that new cybersecurity guidelines for dams could be developed within the next nine months. The EPA's report underscores the urgent need for improved cybersecurity measures in U.S. water systems to protect these vital resources from potential cyber threats.
Read more »
water supply
Cyber Security Data Center Data Policies Data reports Energy EU European Commission water supply

EU Data Centers to Report Energy and Water Use Under New Rules

 

The European Union is poised to take a significant step toward regulating energy and water use in data centers. Beginning in September, all organizations operating data centers within EU nations will be required to file detailed reports on their water and energy consumption. Additionally, these organizations must outline the measures they are taking to reduce their environmental footprint. 

Data centers have been specifically targeted because they account for an estimated 2% to 3% of the total energy consumption in the EU. The increasing demand for data processing power, driven largely by the rise of AI technologies, is a major factor behind this significant energy use. Ermengarde Jabir, a senior economist at Moody’s, highlights the immense power requirements of data center hubs within the EU. 

For instance, data centers in Amsterdam demand approximately 950 megawatts of energy capacity, while those in Dublin require over 700 megawatts. Similarly, data centers in Paris and Frankfurt have comparable energy needs to Dublin. To put this in perspective, 1 megawatt of power is sufficient to power between 750 to 1,000 homes for an entire year. Notably, the world’s largest data center hub, located in northern Virginia, has a staggering capacity of 4,500 megawatts. 

The EU's new reporting rules, along with any subsequent regulations aimed at reducing energy consumption, currently apply only to data centers within EU member states. However, EU environmental regulations often serve as a model for other regions, with the notable exception of North America, according to Cándido García Molyneux, an environmental lawyer based in Brussels with the law firm Covington & Burling. “When the EU adopts these reporting requirements, it is very likely that many other countries will follow suit,” Molyneux explains. He also notes that nations aspiring to join the EU or engage in trade with the EU may need to comply with these energy regulations. 

Moreover, the EU has already implemented government procurement regulations focused on energy efficiency. Companies providing cloud or web-based services to EU residents and businesses from data centers outside the EU might also face future energy use regulations. The EU’s drive to reduce energy consumption is motivated by several factors, including the desire to phase out fossil fuels and decrease dependence on foreign energy sources, according to Moody’s Jabir. 

Although efforts to reduce energy consumption began before the conflict in Ukraine, the war has intensified the EU's resolve to cut imports of Russian oil, gas, and coal. The introduction of energy and water use reporting rules marks an early step toward broader regulation. While some energy experts believe most data center operators are prepared to comply, Molyneux anticipates challenges for certain operators. Smaller data center operators might not be aware of the new rules, and others could struggle to gather the required information in time. 

In summary, the EU’s new reporting requirements for data centers represent a crucial move toward greater transparency and accountability in energy and water use. By enforcing these regulations, the EU aims to achieve substantial reductions in energy consumption, contributing to broader environmental and sustainability goals.
Read more »
water system security
Critical Infrastructure Cyber Threats cybersecurity posture Data Breach ransomware attacks Southern Water Veolia North America water supply water system security

Major Water Suppliers Hit by Ransomware Attacks

 

Recent ransomware attacks have impacted two major water supply systems in the United States and the United Kingdom, with Boston-based Veolia North America and England's Southern Water falling victim to cyber threats. In both instances, attackers have reportedly seized employee or customer data and are demanding ransom payments. Fortunately, neither organization has reported prolonged service disruptions due to encrypted files or folders, and no ransom payments have been disclosed.

Veolia North America, serving approximately 550 communities, acknowledged a ransomware incident affecting its Municipal Water division. The attack prompted the temporary shutdown of some software applications and systems, causing delays in online bill payment systems for customers. The company assured that no operational technology, including industrial control systems, was compromised. Digital forensics investigators were promptly engaged to investigate the intrusion, and affected individuals will be directly notified about the stolen personal information.

Similarly, Southern Water in the UK confirmed a ransomware attack by the Black Basta group but asserted that no data encryption occurred, and critical operations remained intact. The utility, serving 2.5 million water customers and over 4.7 million wastewater customers, is still evaluating the extent of potential data theft. The Black Basta group claimed to have stolen 750 gigabytes of data, including corporate documents and users' personal information. Southern Water emphasized that customer relationships and financial systems remained unaffected, and services continued without disruption.

These incidents come amid a broader surge in ransomware attacks, as highlighted in a report by British consultancy NCC Group, revealing an 84% increase in known ransomware attacks in 2023 compared to the previous year. The U.S. Cybersecurity and Infrastructure Security Agency recently released an incident response guide for the water and wastewater sector, emphasizing the potential cascading impacts of a compromise in critical infrastructure sectors.

The White House has been urging various critical infrastructure sectors to enhance their cybersecurity posture, with a focus on reviewing and improving defenses. The attacks also underscore the ongoing challenges in ensuring the cybersecurity of essential services, prompting organizations to remain vigilant and proactive in safeguarding their systems.
Read more »
Subscribe to: Posts (Atom)