Survey: Many water utilities lack data on IT, OT assets

The new survey data from an information sharing and analysis center was published on the same day a news outlet reported a water treatment facility in California was easily breached by an individual who possessed a former employee's credentials.

Royalty-free stock photo ID: 748502299  Reverse osmosis system for water drinking plant.  N By NavinTar

More than 60% of water utilities say they have not fully assessed what assets comprise their IT networks and only a little more than 21% of those utilities said they are working to do so.

Further, roughly 70% said they have not fully identified all operational technology networked assets and fewer than a quarter are working to do so.

Those figures come from a new survey conducted by the Water Information Sharing and Analysis Center (Water-ISAC) that includes responses from more than 530 organizations.

The survey lands the same day that NBC News reported a hacker in January breached a San Francisco Bay Area water treatment plant and did it with relative ease: using a former employee's credentials for a popular remote work software program.

That incident, which was previously unreported, came just weeks before a water treatment plant in Florida made national headlines when it too was breached through an outdated operating system and vulnerable remote work software.

Of the hundreds of treatment plants that responded to the water ISAC survey, only four organizations confirmed a breach of their IT or OT systems in the past year, while dozens responded they were "not sure" if they had experienced an incident.

In the wake of the attack against Colonial Pipeline, House and Senate lawmakers have repeatedly questioned officials about whether the Cybersecurity and Infrastructure Security Agency should play a greater regulatory role for the natural gas and oil industry when it comes to cybersecurity.

As it stands, CISA only assists private companies when requested, and while recent legislation has given the agency some leeway in terms of administrative subpoenas, it still lacks regulatory powers beyond emergency directives issued for the federal government's civilian networks.

According to data compiled by CISA about the water industry and provided to FCW, roughly 10% of water utilities have reported a critical vulnerability and 40% reported a high vulnerability. Most vulnerabilities water plants have reported -- more than 80% -- were common vulnerabilities and exposures (CVEs) published prior to 2017. (The CISA data was first published in the NBC News story.)

The Water-ISAC published a list of six older CVEs for its members on June 17, saying it was "aware of several reports of threat actors leveraging multiple vulnerabilities to exploit unpatched systems in the water and wastewater sector."