There is an interesting
article on TheDailyMail.net about a recent DHS inspection of a water
treatment facility in a small town in New York. The article claims that “the
Department of Homeland Security is requiring the Village of Athens to replace
the computers at the water filtration plant to make them less vulnerable to
potential hacking of the computer system”. It seems that there is currently
just a single computer controlling the drinking water treatment system and
supporting the administrative office for the system.
Now, I am absolutely sure that whoever came through to do
this inspection it wasn’t anyone from the US Department of Homeland Security.
DHS has no authority over security at water treatment plants; that authority
has been loosely given to the US Environmental Protection Agency. Even the EPA
wouldn’t be concerned with the Athens water treatment facility because it
serves less than 3,500 customers (total population of Athens, NY is 3991 according to
Wikipedia with only 1600 households which would equate to less than 2,000
customers).
I suppose that it could be a New York State agency making
this inspection, but the appropriate agency in NY is the Division of Homeland Security and Emergency
Services (DHSES). Even so, this water system is so small that I doubt that even
they would be terribly involved in looking at the cybersecurity of the
installation. There are certainly larger, more viable targets in the State of
New York that need attention.
It is almost certainly a good idea to have the
administrative functions of the water authority and the control system for the
treatment plant on separate networks. And that is certainly hard to do when the
network consists of a single computer. Having said that, it appears that, in
this case at least, those security measures are beyond the budget of this
system; they only have money for one additional computer.
On a closing note the article explains:
“Once the new system is in place,
Homeland Security officials will come in and monitor the system for free to
ensure it meets current security needs.”
That cinches the case, it wasn’t DHS involved in this
operation, nor DHSES. No government agency would spend that kind of time on a
small, low risk water system like this.
1 comment:
I think you make a number of assumptions that are in error here. It most certainly could have been DHS through the protective security advisor program. PSAs engage water systems within their jurisdictions all the time, regardless of size. These security visits are not under the color of regulatory program, but instead intended to improve the partnership effort. PSAs are encouraged to visit as many CIKR assets w/n their AOR, whether as part of the ECIP program, SAVs, or general "good PSA'ing."
During those visits, PSAs make suggestions on how facilities might improve security - including recommendations on how to address IT/ICS vulnerabilities.
Furthermore, ICS CERT conducts these sorts of site visits all the time (http://www.us-cert.gov/control_systems/pdf/ICS-CERT_Monthly_Monitor_April2011.pdf).
While your comment on the size of the Athens facility would place it below the radar of DHS, it's not outside of the realm of possibility that the PSA may have offered up ICS CERT monitoring capabilities.
In reading this article, my suspicion is that you just have some clumsy reporting. No computers were required, b/c as you point out, DHS doesn't have the authority to do so. But "required" and "recommended" are close enough for folks that aren't as well versed in ins and outs of DHS programs.
Wrapping it up, I'll take the position that DHS may have conducted this inspection and made a recommendation (or "options for consideration," as they're caveated in some of those post-visit reports) rather than required new computers.
Post a Comment