There have been more than 130 control system cyber incidents in water/wastewater utilities. Like Oldsmar and Discovery Bay, most of these incidents have occurred in small water utilities. Many of these incidents were not publicly disclosed, nor were the utilities required to disclose these incidents. When the Oldsmar water “hack” was publicized, a water system hack was also identified in Northern California with no other details and was summarily dismissed by the OT cyber security community – they had Oldsmar. Unfortunately for the OT cyber security community and EPA, Oldsmar was not a hack, but operator error.. None of the OT cyber security firms assisting water utilities on the “Oldsmar response” ever acknowledged it was not a hack. Moreover, the Discovery Bay hack, which was real, was not publicly identified until the FBI issued their indictment 2½ years later. Neither AWWA, EPA, or CISA cyber security guidance or requirements are designed to address insider security threats. In both instances, if the SCADA and/or instrumentation were compromised in a manner that resulted in the systems “being in a credible range”, the impact may not have been identified by monitoring the OT networks and would have needed engineering input. Just like other infrastructures, the water/wastewater cyber security focus is on the Internet Protocol (IP) network issues and OT network personnel ignoring the other cyber-vulnerable systems. The cyber incident reporting requirements addressed in the National Cyber Security Plan, other government and industry documents, and the recent SEC requirements don’t address the FBI non-disclosure protocols.
https://www.controlglobal.com/blogs/unfettered/blog/33008897/a-tale-of-two-cities-water-attacks
