Guest post from the ICS cyber security blog:
Defendant in federal court in cyber attack on ICS system in the US
April 17, 2021 – icscybersec
According to information released by the US Department of Justice (DoJ), a 22-year-old man from Kansas will be tried in federal court for unauthorised access to ICS systems at the Ellsworth County Water Works, also in Kansas. According to the agent in charge of the Environmental Protection Agency’s (EPA) Criminal Investigations Division, the defendant endangered the drinking water system and, through it, the safety of the community by illegally accessing and modifying the water plant’s systems. The information released does not provide details on whether the illegal modifications were successful or how the changes were detected, but the defendant now faces up to 25 years in prison (in federal prison) and a fine of up to $500,000.
This was not the first nor the last cybersecurity incident in the life of US water utilities, just think of the incident at the Oldsmar water plant in Florida, but the series of attacks on Israeli water companies was not that long ago. In addition, according to information released by the DoE in 2016, there were at least 25 cybersecurity incidents in 2015 in the systems of various (small) US water utilities, so recent events are far from without precedent.
What is increasingly evident is that the issue of cybersecurity of national critical infrastructures is now being given increasing importance in the US at the highest (federal) level and in several branches of power (executive – as described in the presidential executive orders repeatedly cited in this blog – and judicial – or at least prosecutorial – branches of power). I wonder when we will start down a similar path here at home? Because there can be no question that we should follow the US (in this matter anyway), the question is rather what is needed to make Hungarian decision-makers feel that this is important enough?
Although water utility companies in Hungary are of a different size and therefore (I assume) face different problems and challenges, the problems of small utility companies are also present in Hungary, I think, but we have to look at a different sector. Small and backyard solar power plants, which have mushroomed in recent years and are subsidised by the state, may pose similar cyber security risks. Individually, these solar power plants do not represent a significant installed capacity for the national electricity system, but given how many of them are built using the same technology from just a few manufacturers, often in a series, and communicate with the systems of the electricity supplier in the area via public networks, it is clear that they can pose serious risks.
***
The original guest post was published on the ICS cyber security blog.
Translated by DeepL.