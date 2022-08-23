Comment on this story Comment Gift Article Share

The EPA is up against a deadline to propose a cyber plan for the water sector A ransomware gang is leaking documents revealing just how deeply they penetrated the systems of a U.K. water treatment plant that serves hundreds of thousands of customers, potentially gaining access to controls of the facility.

In recent days, cybersecurity analysts poring through the documents from the gang known as Clop — sometimes stylized as Cl0p — have suggested that the attack impacting South Staffordshire Water might have been worse than originally thought. The hackers may have gotten into Seedy Mill systems that control chemicals, known as industrial control systems (ICS), of which supervisory control and data acquisition (SCADA) is one variety.

The incident put a fresh focus on the water sector, which many experts consider one of the most vulnerable to cyberattacks — and where an attack could do the most damage. The sector is also awaiting potential cybersecurity regulations from the Environmental Protection Agency, per a mandate from Congress.

Food, shelter and safety are “the things that keep us from being ‘Lord of the Flies,’ ” Joshua Corman, vice president of cyber safety strategy at cybersecurity company Claroty, told me.

The attack(s)

The breached U.K. plant provides water to approximately 200,000 consumers, according to a 2017 video produced by the water plant.

“I’d be most concerned with, what could Clop have done while they were in there?” Emsisoft ransomware analyst Brett Callow told me. “There’s the potential for this being a catastrophic incident.”

Ransomware gangs are notorious for frequently lying , so take their document leaks with a hefty grain of salt. The South Staffordshire Water company didn’t return messages Monday seeking comment about whether hackers got into ICS/SCADA, or if there were any checks against meddling.

The attack follows last year’s hack of a water treatment plant in Oldsmar, Fla., where a hacker briefly increased the levels of sodium hydroxide — also known as lye — by 100 fold before quickly being detected. If successful, such an attack could have poisoned the local population.

Callow has counted seven separate ransomware attacks on government-owned water facilities in the United States that have become public since 2019.

State of the defenses

The congressionally created Cyberspace Solarium Commission concluded in its 2020 report that “water utilities remain largely ill-prepared to defend their networks from cyber-enabled disruption.” Its members and staffers have continued to beat the drum about the poor state of water cybersecurity since.

An estimated 70,000 utilities control the water supply in the United States, some very small and thus lacking cyber expertise and the dollars to implement improved defenses.

“What keeps me up at night are those smaller systems that don’t have the cybersecurity staff or don’t have the controls,” the director of infrastructure cyber defense at the Water Information Sharing and Analysis Center (WaterISAC), Jennifer Lyn Walker, told me. WaterISAC works to share threat information with sector members.

Some, Walker included, consider the picture less dire than sometimes depicted.

“With events like the South Staffordshire, U.K., hack last week, and the Oldsmar, Fla. water treatment facility attack last year, utilities and governments are getting spooked — and real change finally appears to be imminent,” Duncan Greatwood, CEO of critical infrastructure security company Xage, told me.

Said Kevin Morley, federal relations manager of the American Water Works Association: “We’ve accepted that there is a legitimate threat to water systems as well as other critical infrastructure systems … There’s a serious need for capacity development.”

Government answers

An announcement last month that the Biden administration would soon have the EPA incorporate cybersecurity into sanitation reviews had long worried the water sector, which has opposed the idea for months on legal and other grounds.

In the bipartisan infrastructure law, Congress directed the EPA to develop a plan to prioritize water facilities for cyber protections. That plan was due to Congress on Monday. The EPA didn’t answer a request by press time about when it would be delivered. Multiple industry officials told me the EPA hadn’t given them information about the plan.

But there’s a long way to go besides. One estimate places the EPA’s total spending on cybersecurity at its Office of Water at $7 million. Sector officials say they need much, much more funding.

“It's going to take a long time to get from current state to desired state, and can we preserve the trust of the public in parallel with that long crawl/walk/run journey?” Corman asked.

Twitter misled regulators and board about ‘egregious deficiencies’ in defenses against hackers

Former Twitter head of security Peiter Zatko said in a whistleblower complaint that thousands of employees at the social media firm had wide-ranging access to core company software, and that their access wasn’t well-tracked, Joseph Menn, Elizabeth Dwoskin and Cat Zakrzewski report. The complaint was sent to the Securities and Exchange Commission, Federal Trade Commission and Justice Department.

“Among the most serious accusations in the complaint, a copy of which was obtained by The Washington Post, is that Twitter violated the terms of an 11-year-old settlement with the Federal Trade Commission by falsely claiming that it had a solid security plan,” Joseph writes. “Zatko’s complaint alleges he had warned colleagues that half the company’s servers were running out-of-date and vulnerable software and that executives withheld dire facts about the number of breaches and lack of protection for user data, instead presenting directors with rosy charts measuring unimportant changes.”

Zatko famously testified before Congress under his hacker name, “Mudge,” and wrote a powerful password-cracking tool by age 30, Joseph reports. He described going public about the issues at Twitter as an extension of his previous work exposing failings in software and, more broadly, cybersecurity, Joseph reports. “I felt ethically bound. This is not a light step to take,” Zatko, who was fired by Twitter chief executive Parag Agrawal in January, told The Post.

Zatko raised concerns about a presentation to the company's board that described security incidents at the company, according to the complaint. Zatko said the presentation was misleading and reported internally that a meeting of the company's Risk Committee was fraudulent after Agrawal allowed the presentation to go to the committee over Zatko's objections. Agrawal fired Zatko two weeks later, according to the complaint.

Zatko declined to discuss what happened at Twitter beyond standing by his formal complaint. He is entitled to protection against retaliation and potential monetary rewards under SEC rules.

Twitter described the complaint as an opportunist attack. “Security and privacy have long been top companywide priorities at Twitter,” said Rebecca Hahn, Twitter’s global vice president of communications.

“Mr. Zatko was fired from Twitter more than six months ago for poor performance and leadership, and he now appears to be opportunistically seeking to inflict harm on Twitter, its customers, and its shareholders.” The company's security practices are within industry standards and the company has rules about who can access its systems, Hahn said. The company investigated Zatko's security claims and found that they were sensationalistic and without merit, a person familiar with his tenure told The Post.

NSO Group lays off 15 percent of workforce and chief executive resigns

Chief operating officer Yaron Shohat will replace NSO co-founder and longtime chief executive Shalev Hulio while the company’s board looks for a new CEO, Miriam Berger reports. The upheaval at the Israeli firm comes as it grapples with global backlash and legal action over the use of its Pegasus spyware, which has been used to target activists, executives and journalists.

Hulio’s resignation is part of a company reorganization attempting to focus its sales on members of the NATO alliance, NSO said. The firm has 22 clients in 12 countries across Europe, NSO told European lawmakers investigating the company and other spyware firms, Haaretz’s Omer Benjakob reported.

NSO has had financial issues for months.

Election deniers downloaded sensitive election system files

A Georgia computer forensics firm hired by attorneys working to overturn Donald Trump’s 2020 election defeat put copies of components in Coffee County, Ga., and Antrim County, Mich., election systems on a server, where records show that they were downloaded dozens of times, Jon Swaine, Aaron C. Davis, Amy Gardner and Emma Brown report.

“Among the downloaders were accounts associated with a Texas meteorologist who has appeared on Sean Hannity’s radio show; a podcaster who suggested political enemies should be executed; a former pro-surfer who pushed disproved theories that the 2020 election was manipulated; and a self-described former ‘seduction and pickup coach’ who claims to also have been a hacker,” my colleagues write.

Plaintiffs in a lawsuit over voting machine security in Georgia obtained the records under a subpoena to an executive at the firm, Atlanta-based SullivanStrickler. The attorneys who hired SullivanStrickler directed it “to contact county officials to obtain access to certain data” from Dominion voting machines in Georgia and Michigan, the firm said. “Likewise, the firm was directed by attorneys to distribute that data to certain individuals,” it said. The firm said that it “had [and has] no reason to believe that, as officers of the court, these attorneys would ask or direct SullivanStrickler to do anything either improper or illegal,” it said.

Chat room

NSA cybersecurity director Rob Joyce weighed in on hacking by foreign countries by posting two memes:

Thanks for reading.

