The short answer is we don’t know. That should scare you a bit. In fact, it is likely that I have a better handle on the cybersecurity of my drinking water than many public water systems do.
Here are some stats.
A MAJORITY of the 52,000 drinking water supply systems in the United States have not inventoried some or any of their information systems.
The Water Sector Coordinating Council found that less than 40 percent of utilities have identified all of the IT assets (separate from their OT systems).
The Council says that 30 percent have identified all OT related assets. An additional 22 percent are working on that. Which means that almost half neither have completed the inventory nor started it.
68 percents said that they had no IT security incidents in the last year. Or, maybe, they just don’t know that the did. That means that a third ADMITTED that they did have an incident last year.
With publicly reported attacks on water systems in multiple states including California, Kansas and Florida, the fact that it is a 50/50 crap shoot as to whether your local water system is even trying to protect your drinking water is not terribly comforting.
In 2018 the feds passed a law that required large water systems to report to the EPA that they had conducted a risk assessment. That report, for those systems, is due this month.
NOTE THAT THEY ARE NOT REQUIRED TO FIX THE RISKS, JUST REPORT THAT THEY HAD CONDUCTED A RISK ASSESSMENT. I think they also need to put together a plan, but no one is monitoring whether they actually implement it.
But the vast majority of drinking water systems are small and they are not even required to do that much.
So, if your water comes from a large water system (like, say, Denver), It is likely that they have conducted a risk assessment, even if they have not fixed the risks.
If your water comes from one of the tens of thousands of small water systems, well, you are kind of on your own.
Of course, the hackers are well aware of this, which is really the big risk.
Credit: Brian Krebs