The Ventura County Grand Jury is recommending that local water providers upgrade their cybersecurity in the wake of cyberattacks against seven of them in the last five years.
The
2021-22 grand jury investigated the county's public – not private – water
providers and concluded "there is considerable opportunity for
improvements of cybersecurity policies and procedures," a report issued in
May says.
The
jury said that of the 14 water providers it interviewed, seven had
"experienced some form of cyberattack within the last five years, ranging
from successful phishing attacks to ransomware."
The
attacks exploited cyber vulnerabilities such as an attacker's familiarity with
the network, vulnerability of connected devices or poor access controls, the
report says.
The
document does not identify the seven providers or provide more details of the
attacks.
Such
attacks pose "a serious threat to the public drinking water supply,"
the report says.
For
instance, the study notes, there were two well publicized attempts last year by
hackers to poison water supplies in Oldmar, Florida and the San Francisco Bay
area.
"The
grand jury investigation addressed the vulnerability of Ventura County water
providers to similar cyberattacks, which could disrupt clean water availability
and/or provider business operations," the report says.
Keith
Frost, foreman of the 2022-23 grand jury, said in an email Thursday that he
cannot discuss the report.
"Grand
jury members cannot comment on the investigation or the drafting of the report
due to confidentiality provisions" of the state penal code, he said.
'Complex network'
The
report says that according to the EPA, there are 64 community water systems
that supply drinking water to Ventura County residents.
About
98% of the county's water is supplied by the 25 largest systems, including the
Oxnard Water Department, Ventura Water, Ventura County Waterworks District No.
8, whose board of directors is the Simi Valley City Council, Cal American Water
and the Thousand Oaks Water Department, according to the report.
Cyber
espionage: 'No country presents a broader threat,' FBI director says of China
More
than half of the water delivered to Southern California homes and businesses is
imported from Northern California by the Metropolitan Water District of
Southern California through the State Water Project and from the Colorado
River, the report says.
The
MWD allocates a portion of the water to Ventura County. Two wholesale water
providers, Calleguas Municipal Water District and United Water Conservation
District, are primarily responsible for distribution of the imported water to
the county's communities, according to the report.
"The
grand jury found that Ventura County relies on a complex network of public and
private water wholesalers and retailers," the report says.
The
jury's investigation concentrated on the public providers who supply 76% of the
county's water users, the study says.
The
group examined two primary areas of cyber vulnerability in the water sector:
the information technology used to bill consumers and record usage, and the
operational technology, which controls the chemical treatment, filtration,
storage and distribution of a provider's water.
The
investigation focused on the cyber vulnerable component of operational
technology, the supervisory control and data acquisition system, which remotely
manages it.
"Malicious
actors can take advantage of network vulnerabilities and/or weak access
controls in either IT or OT," the report says.
Findings and
recommendations
Based
on its investigation, the jury made a number of findings:
- Cybersecurity
of both IT and SCADA systems is essential to safe and effective delivery of water.
- Levels
of cybersecurity for IT and SCADA systems are inconsistent among the
investigated water providers.
- Levels
of cybersecurity training are also inconsistent.
- Levels
and frequency of cybersecurity assessments are inconsistent too.
- Knowledge
of cyber incident reporting requirements is inadequate among the investigated
water providers.
- There
is insufficient information exchanged among the interviewed water providers
regarding cybersecurity threats, attacks, protections and remedies.
- There
is insufficient awareness among public water providers of available federal and
state expert cybersecurity services and support for their systems.
- Some
of the investigated water providers’ business recovery plans did not address
recovery from a cyber incident.
The
jury also made recommendations for the water providers it investigated:
- They
should regularly assess their cybersecurity, addressing both IT and SCADA
consistent with recommended best practices of the EPA and Cybersecurity &
Infrastructure Security Agency.
- They
should regularly share and exchange information regarding cybersecurity
threats, attacks, protections and remedies, and provide training, using such
forums as the Association of Water Agencies Ventura County.
- They
should use free federal and state expert assistance to enhance cybersecurity.
- They
should regularly conduct cybersecurity awareness training.
- They
should address recovery from cybersecurity incidents in their business recovery
plans.
- They
should establish Cybersecurity & Infrastructure Security Agency-compliant
internal protocols for reporting cyber incidents.
"Although
the grand jury did not interview all of Ventura County water providers, the
grand jury recommendations could serve as a model to strengthen the
cybersecurity of all," the report says.
Required responses
Pursuant
to the penal code, recipients of the grand jury's report are required to inform
the jury whether they agree with the report's findings. They must also report
how they propose to address, or have addressed, the report's recommendations.
Responses
to the jury so far include Thousand Oaks, whose public works department said
the city has implemented five of the six recommendations, including requiring
all employees to attend and pass cybersecurity training.
"The
city has (also) implemented regular random phishing attack tests for
staff," the reply says.
The
city says it's working on enacting the other recommendation to address recovery
from cybersecurity incidents in its business recovery plan.
Schools
targeted: Two Ventura County school districts affected by cyber attack
The
Triunfo Water District, which supplies water to more than 30,000 people in east
Ventura County, said in its response that it "has not experienced a
cybersecurity event and informs its IT vendor, Frontier Technology Inc., of any
suspicious activity in a timely manner."
It
says it has enacted three of the recommendations and plans to carry out the
other three.
The
Ventura County Public Works Agency and the Oxnard Public Works Department said
in their responses that they've implemented all the recommendations.
Camarillo
said it has put into practice five of the recommendations and will implement
the other one, establishing an internal protocol for reporting cyber incidents.
The
Camrosa Water District, based in Camarillo, has implemented five of the six
recommendations. It says it has to further analyze the other recommendation to
share and exchange information about cybersecurity on public forums, which it
doesn't currently do.
Ventura
Star
By Mike Harris
September 12, 2022
No comments:
Post a Comment