The USA’s drinking water is under threat. According to the US Environmental Protection Agency (EPA), 97 drinking water systems serving around 27 million users have critical or high-risk cybersecurity.
Although the EPA’s latest report focuses on the potential financial costs of cyber-attacks, there is also strong evidence that such attacks could also result in significant loss of life, with thousands or even millions of people being deliberately poisoned by terrorists or a hostile foreign power.
“We estimate that a [California] state-wide water service disruption could potentially cost at least $61 billion in lost revenue per day,” says the EPA report, Cybersecurity Concerns Related to Drinking Water Systems.
However, the cost could be far higher in terms of health. One hostile foreign power, understood to be Iran, has already tried to poison the entire civilian population of Israel by hacking into water treatment plants in an attempt to change the chemical balance of drinking water to make it potentially lethal. And potentially lethal cyber-attacks on US water treatment are currently on the rise, as we reported in July.
US infrastructure now a prime target for Iran, Russia and China
According to Dr. Leonid Cooperman, CEO and Co-Founder of operational technology (OT) cybersecurity firm, IXDen: “Critical infrastructure in the US has now become a prime target for Iranian, Russian and Chinese hackers. Their aim can either be to disable crucial services as part of a greater attack or simply to carry out industrial espionage and steal valuable intellectual property.”
“The vast majority of cyber breaches of critical infrastructure such as water and power facilities go unreported, although a precise figure is impossible to gauge. Those that are reported in the media are only the tip of the iceberg. OT attacks on private businesses are not reported at all, and in public organizations, they are rarely reported,” added IXDen Co-Founder Zion Harel.
Nor is there an easy fix for the security flaws in the systems that run water treatment plants in countries like the US, UK, and Israel. The OT systems that manage them were originally intended to be stand-alone systems. However, the need to integrate them with the digital age’s online IT systems has exposed many weaknesses for hackers to exploit.
“If malicious actors exploited the cybersecurity vulnerabilities we identified in our passive assessment, they could disrupt service or cause irreparable physical damage to drinking water infrastructure,” warns the EPA.
