Tuesday, July 10, 2012

DHS Inspects Water Plant Control System

There is an interesting article on TheDailyMail.net about a recent DHS inspection of a water treatment facility in a small town in New York. The article claims that “the Department of Homeland Security is requiring the Village of Athens to replace the computers at the water filtration plant to make them less vulnerable to potential hacking of the computer system”. It seems that there is currently just a single computer controlling the drinking water treatment system and supporting the administrative office for the system.

Now, I am absolutely sure that whoever came through to do this inspection it wasn’t anyone from the US Department of Homeland Security. DHS has no authority over security at water treatment plants; that authority has been loosely given to the US Environmental Protection Agency. Even the EPA wouldn’t be concerned with the Athens water treatment facility because it serves less than 3,500 customers (total population of Athens, NY is 3991 according to Wikipedia with only 1600 households which would equate to less than 2,000 customers).

I suppose that it could be a New York State agency making this inspection, but the appropriate agency in NY is the Division of Homeland Security and Emergency Services (DHSES). Even so, this water system is so small that I doubt that even they would be terribly involved in looking at the cybersecurity of the installation. There are certainly larger, more viable targets in the State of New York that need attention.

It is almost certainly a good idea to have the administrative functions of the water authority and the control system for the treatment plant on separate networks. And that is certainly hard to do when the network consists of a single computer. Having said that, it appears that, in this case at least, those security measures are beyond the budget of this system; they only have money for one additional computer.

On a closing note the article explains:

“Once the new system is in place, Homeland Security officials will come in and monitor the system for free to ensure it meets current security needs.”

That cinches the case, it wasn’t DHS involved in this operation, nor DHSES. No government agency would spend that kind of time on a small, low risk water system like this.

1 comment:

hdk said...

I think you make a number of assumptions that are in error here. It most certainly could have been DHS through the protective security advisor program. PSAs engage water systems within their jurisdictions all the time, regardless of size. These security visits are not under the color of regulatory program, but instead intended to improve the partnership effort. PSAs are encouraged to visit as many CIKR assets w/n their AOR, whether as part of the ECIP program, SAVs, or general "good PSA'ing."

During those visits, PSAs make suggestions on how facilities might improve security - including recommendations on how to address IT/ICS vulnerabilities.

Furthermore, ICS CERT conducts these sorts of site visits all the time (http://www.us-cert.gov/control_systems/pdf/ICS-CERT_Monthly_Monitor_April2011.pdf).

While your comment on the size of the Athens facility would place it below the radar of DHS, it's not outside of the realm of possibility that the PSA may have offered up ICS CERT monitoring capabilities.

In reading this article, my suspicion is that you just have some clumsy reporting. No computers were required, b/c as you point out, DHS doesn't have the authority to do so. But "required" and "recommended" are close enough for folks that aren't as well versed in ins and outs of DHS programs.

Wrapping it up, I'll take the position that DHS may have conducted this inspection and made a recommendation (or "options for consideration," as they're caveated in some of those post-visit reports) rather than required new computers.

/* Use this with templates/template-twocol.html */