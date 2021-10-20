Water just may be the most critical material to the human experience. I know some of you might place your iPhone, car or truck, or Netflix credentials high on the list. Think more seriously about base needs: water, food, sustenance.
Water covers over 70% of earth’s surface. The human lifeform, solid as it seems, is comprised of between 55% and 75% water. Because we need nearly two gallons of water each day, this should not be surprising. We humans rely on the health of our entire ecosystem, which includes the incomprehensive importance of oceanic and freshwater life. Without plant and animal kingdoms and species that rely on aquaculture, our ecosystem gets disrupted and devastation on land comes next.
Unlike plant life’s and the animal planet’s lax water standards, we humans need comparably clean and pure water. Through a lifetime of backpacking, hiking, and camping I’ve seen black and brown bears, all sorts of cloven animals, myriad birds, and countless other species amble up to a body of natural water to sustain life. Would I have followed so casually, who knows what parasite or disease I might’ve welcomed into my system. To convert what winged or four-legged creatures consume with ease into something safe for my use and health I must filter it first.
When considering the breadth of human water consumption, including indirect use through crop irrigation, it’s quite the minority of H2O molecules that are fit for human drinking without first filtering and treating them. I grew up on well water, so I recognize that not all water needs to be treated first. Most people in America get their water after some form of treatment has been applied. Around the world, for many who don’t have a well, that option does not exist. Even in 2021 there are still around a billion of us who do not have ready access to safe, affordable drinking water.
For those of us privileged to have potable water on tap, we most likely rely on U.S. Water and Wastewater Systems Sector facilities. Many components make up the system of critical infrastructure: water, electricity, healthcare, transportation, and so on. The WWS plants seem as critical as any. A healthy person can live for days without food, without clean clothing, without Hulu. How long, though, without water? Dehydration quickly affects our overall health. Thus, without WWS facilities churning out that clear lifeforce reliably, fate answers.
Modern day WWS operations have been through the same technological evolution as modern day everything else. Computer powered and controlled networks connect water purification devices to make cleaner water more efficiently and cheaply before traveling to our taps. Just three recent incidents illustrate how vulnerable the far-reaching WWS system is since becoming dependent on technologies. Earlier this year in Nevada, Maine, and California, on separate occasions, hackers attacked WWS facilities. Ransomware was discovered at the California plant, and was poised to hold its supervisory controls hostage until payment was made. Similar attacks happened in Maine and Nevada, though there some functions reverted to manual operations until security experts cured the breach. In more effective cases elsewhere and earlier, hackers altered chemical levels remotely, or tried to introduce poison to the system.
Those weren’t all too creative in light of nation-state-level hacking operations, or even as compared to savvy profiteers’ ploys online. The security implications of networked WWS plants are as wide and varied as the banking industry faces, or those that we ham-and-eggers wake up to every day. Hackers are inventive, industrious, and can be egoists who love advertising bragging rights about their creative destruction techniques. To be too focused on ransomware would lull us into being even more vulnerable to other tactics.
It is incredibly important that this be taken seriously, and that defenses are designed immediately. If our villains were from fictitious comic stories, where braggadocio isn’t as brazen as the hacker community, attacks might be even more dangerous because to secretly subvert security without bravado might lead to the most heinous outcomes. For now, we should feel fortunate that a ransomware popup screen demands action. At least we can know about the risks.
The U.S. Cybersecurity and Infrastructure Agency has partnered with the likes of the FBI, the National Security Agency, and the EPA in a joint advisory alert about WWS cybersecurity. The government’s task force, of sorts, that published the advisory alert last week should quell these fears It’s all hands, after all.
CISA and the group warned WWS facilities about the threats. They discussed spearphishing, which is like phishing emails where a malicious link is included in a mass email that goes to all employees. A phishing attack is successful when one unwitting staffer clicks a link that loads malware onto the system. With spearphishing, the target is more acute because only higher-ups might have permissions to get into the most secure areas of the WWS systems. A spear instead of a shotgun. After spearphishing, WWSs were warned about insider threats. Current or former employees with access permissions pose a great threat, and have levied attacks against WWSs. The third area of vulnerability was outdated software. Without keeping systems updated, security flaws go untended.
The CISA alert then gave advice on overcoming threats inherent to the WWS environment, and frankly this is where my hopes got deflated. “Don’t click malicious links and do use stronger passwords” summed it up. This is sound advice, but against the incredibly critical system that provides life itself, it seems so basic as compared to the sophisticated hackers. Before I place blame on too simplistic and outdated advice, let’s acknowledge the tragedy that it still must be given in 2021.
Leadership over WWS plants could by now have made password and phishing defensive effective, minimum protocols. Treat cyber threats like the water you’re treating itself. Clarify security standards, test regularly, and prepare for the worst.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at edzugeresq@gmail.com.
