www.securityweek.com
Open in
urlscan Pro
2606:4700:20::6818:a003
Public Scan
URL:
https://www.securityweek.com/300-drinking-water-systems-in-us-exposed-to-disruptive-damaging-hacker-attacks/
Submission: On November 19 via api from TR — Scanned from US
Submission: On November 19 via api from TR — Scanned from US
Form analysis 4 forms found in the DOM
GET https://www.securityweek.com/
<form method="get" id="zox-search-form" action="https://www.securityweek.com/">
<input type="text" name="s" id="zox-search-input" value="Search" onfocus="if (!window.__cfRLUnblockHandlers) return false; if (this.value == "Search") { this.value = ""; }"
onblur="if (!window.__cfRLUnblockHandlers) return false; if (this.value == "Search") { this.value = ""; }">
<input type="submit" id="zox-search-submit" value="Search">
</form>Name: ccoptin — POST https://visitor.constantcontact.com/d.jsp
<form class="sw-newsletter-cc" style="" method="post" target="_blank" action="https://visitor.constantcontact.com/d.jsp" name="ccoptin">
<input type="hidden" value="1102592012458" name="m">
<input type="hidden" value="oi" name="p">
<div class="form-item">
<input type="text" class="form-text required" value="" placeholder="Business Email Address..." size="60" name="ea" maxlength="128">
<input type="submit" class="submit" value="Subscribe" name="go">
</div>
</form>Name: ccoptin — POST https://visitor.constantcontact.com/d.jsp
<form class="sw-newsletter-cc" style="" method="post" target="_blank" action="https://visitor.constantcontact.com/d.jsp" name="ccoptin">
<input type="hidden" value="1102592012458" name="m">
<input type="hidden" value="oi" name="p">
<div class="form-item">
<input type="text" class="form-text required" value="" placeholder="Business Email Address..." size="60" name="ea" maxlength="128">
<input type="submit" class="submit" value="Subscribe" name="go">
</div>
</form>Name: ccoptin — POST https://visitor.constantcontact.com/d.jsp
<form class="sw-newsletter-cc" method="post" target="_blank" action="https://visitor.constantcontact.com/d.jsp" name="ccoptin">
<input type="hidden" value="1102592012458" name="m">
<input type="hidden" value="oi" name="p">
<div class="form-item">
<input type="text" name="ea" maxlength="128" placeholder="Business Email Address..." class="form-text required" required="">
<input type="submit" class="submit" value="Subscribe" name="go">
</div>
</form>Text Content
SECURITYWEEK NETWORK: * Cybersecurity News * Webcasts * Virtual Events ICS: * ICS Cybersecurity Conference * Malware & Threats * Cyberwarfare * Cybercrime * Data Breaches * Fraud & Identity Theft * Nation-State * Ransomware * Vulnerabilities * Security Operations * Threat Intelligence * Incident Response * Tracking & Law Enforcement * Security Architecture * Application Security * Cloud Security * Endpoint Security * Identity & Access * IoT Security * Mobile & Wireless * Network Security * Risk Management * Cyber Insurance * Data Protection * Privacy & Compliance * Supply Chain Security * CISO Strategy * Cyber Insurance * CISO Conversations * CISO Forum * ICS/OT * Industrial Cybersecurity * ICS Cybersecurity Conference * Funding/M&A * Cybersecurity Funding * M&A Tracker * Cybersecurity News * Webcasts * Virtual Events * ICS Cybersecurity Conference Connect with us * * * Hi, what are you looking for? SECURITYWEEK * Malware & Threats * Cyberwarfare * Cybercrime * Data Breaches * Fraud & Identity Theft * Nation-State * Ransomware * Vulnerabilities * Security Operations * Threat Intelligence * Incident Response * Tracking & Law Enforcement * Security Architecture * Application Security * Cloud Security * Endpoint Security * Identity & Access * IoT Security * Mobile & Wireless * Network Security * Risk Management * Cyber Insurance * Data Protection * Privacy & Compliance * Supply Chain Security * CISO Strategy * Cyber Insurance * CISO Conversations * CISO Forum * ICS/OT * Industrial Cybersecurity * ICS Cybersecurity Conference * Funding/M&A * Cybersecurity Funding * M&A Tracker ICS/OT 300 DRINKING WATER SYSTEMS IN US EXPOSED TO DISRUPTIVE, DAMAGING HACKER ATTACKS EPA flags security vulnerabilities in more than 300 drinking water systems that serve roughly 110 million individuals. By Ionut Arghire November 18, 2024 * * Flipboard Reddit Whatsapp Whatsapp Email Over 300 drinking water systems that serve roughly 110 million people in the US are affected by vulnerabilities that could lead to service disruptions, a new report from the Environmental Protection Agency (EPA)’s Office of Inspector General (OIG) shows. A passive assessment of security defects in 1,062 drinking water systems that serve over 193 million individuals has revealed that a quarter of them could potentially fall victim to attacks leading to functionality loss, denial-of-service (DoS) conditions, and customer information compromise. The assessment covered five cybersecurity categories, namely email security, IT hygiene, vulnerabilities, adversarial threat, and malicious activity, and rated the identified weaknesses with critical to low scores, based on their potential impact. As of October 2024, 97 of the assessed water systems, which serve approximately 27 million individuals, contained critical and high-severity issues, OIG’s report (PDF) shows. An additional 211 drinking water systems, covering roughly 83 million people, were found to be impacted by medium and low-severity weaknesses, by having externally visible open portals. “If malicious actors exploited the cybersecurity vulnerabilities we identified in our passive assessment, they could disrupt service or cause irreparable physical damage to drinking water infrastructure,” OIG says. The assessment included mapping the digital footprint for each of the investigated systems, covering the infrastructure used for collecting, pumping, treating, storing, and distributing the drinking water, and involved the analysis of more than 75,000 IPs and 14,400 domains. The OIG’s report also points out that the EPA itself lacks a “cybersecurity incident reporting system that water and wastewater systems could use to notify the EPA of cybersecurity incidents” and that the agency relies on CISA for this type of reporting. Advertisement. Scroll to continue reading. “Moreover, we were unable to find documented policies and procedures related to the EPA’s coordination with the Cybersecurity and Infrastructure Security Agency and other federal and state authorities involved in sector-specific emergency response, security plans, metrics, and mitigation strategies,” OIG notes. The report comes roughly one month after New Jersey-based American Water, which services more than 14 million people in 14 states and on 18 military installations, fell victim to a cyberattack that forced it to shut down certain systems. Water services were not affected. In May, EPA warned that over 70% of water systems did not comply with the Safe Drinking Water Act, underlining critical-severity issues, such as the use of default passwords and easily hackable authentication systems. Related: Homeland Security Department Releases Framework for Using AI in Critical Infrastructure Related: Major US, UK Water Companies Hit by Ransomware Related: CISA Offering Free Vulnerability Scanning Service to Water Utilities Related: Submarine Cables at Risk of Nation-State Sabotage, Spying: Report Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. MORE FROM IONUT ARGHIRE * Glove Stealer Malware Bypasses Chrome’s App-Bound Encryption * Known Brand, Government Domains Hijacked via Sitting Ducks Attacks * Critical Plugin Flaw Exposed 4 Million WordPress Websites to Takeover * LightSpy Spyware Operation Expands to Windows * Iranian Hackers Target Aerospace Industry in ‘Dream Job’ Campaign * Bitsight to Acquire Cybersixgill for $115 Million * CISA, FBI Confirm China Hacked Telecoms Providers for Spying * Idaho Man Sentenced to 10 Years in Prison for Hacking, Data Theft, Extortion LATEST NEWS * VMware Discloses Exploitation of Hard-to-Fix vCenter Server Flaw * Why Custom IOCs Are Necessary for Advanced Threat Hunting and Detection * Discontinued GeoVision Products Targeted in Botnet Attacks via Zero-Day * Ransomware Attack on Oklahoma Medical Center Impacts 133,000 * Palo Alto Networks Releases IoCs for New Firewall Zero-Day * Fortinet VPN Zero-Day Exploited in Malware Attacks Remains Unpatched: Report * AnnieMac Data Breach Impacts 171,000 People * Library of Congress Says an Adversary Hacked Some Emails TRENDING PALO ALTO NETWORKS CONFIRMS NEW FIREWALL ZERO-DAY EXPLOITATION FORTINET VPN ZERO-DAY EXPLOITED IN MALWARE ATTACKS REMAINS UNPATCHED: REPORT 300 DRINKING WATER SYSTEMS IN US EXPOSED TO DISRUPTIVE, DAMAGING HACKER ATTACKS PALO ALTO NETWORKS RELEASES IOCS FOR NEW FIREWALL ZERO-DAY T-MOBILE ALSO TARGETED IN CHINESE TELECOM HACKING CAMPAIGN CRITICAL PLUGIN FLAW EXPOSED 4 MILLION WORDPRESS WEBSITES TO TAKEOVER MICROSOFT CONFIRMS ZERO-DAY EXPLOITATION OF TASK SCHEDULER FLAW HOMELAND SECURITY DEPARTMENT RELEASES FRAMEWORK FOR USING AI IN CRITICAL INFRASTRUCTURE DAILY BRIEFING NEWSLETTER Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. WEBINAR: INSIDE A HACKER’S PLAYBOOK: HOW CYBERCRIMINALS USE DEEPFAKES AND BEC TO STEAL COMPANY FUNDS December 10, 2024 Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses. Register EVENT: ICS CYBERSECURITY CONFERENCE Oct. 21-24, 2024 | Atlanta The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity. Watch Sessions PEOPLE ON THE MOVE Steve Frank has joined KPMG and KPMG Americas as Chief Information Security Officer (CISO). Erica Smith will become CFO at CyberArk, effective January 1, 2025. AI-powered identity verification provider Vouched has appointed Neal Oman as CTO and Patrick Williams as Senior Director of Marketing. More People On The Move EXPERT INSIGHTS WHY CUSTOM IOCS ARE NECESSARY FOR ADVANCED THREAT HUNTING AND DETECTION The ability to internalize and operationalize customized threat intelligence as part of a holistic security system is no longer a luxury; it's a necessity. (Etay Maor) THE BIGGEST INHIBITOR OF CYBERSECURITY: THE HUMAN ELEMENT Essential steps such as security awareness training, MFA, and Zero Trust identity management help organizations reduce the human element and stay ahead in the cybersecurity curve. (Torsten George) DESIGNING A FUTURE-FOCUSED CYBERSECURITY INVESTMENT STRATEGY CISOs must attempt to define a strategic approach to technology investment that will protect the business over the long term. (Marc Solomon) API SECURITY MATTERS: THE RISKS OF TURNING A BLIND EYE Willfully ignoring important security issues to make our lives easier is, unfortunately, something that does happen in the security field. (Joshua Goldfarb) BACK TO THE FUTURE, SECURING GENERATIVE AI While there are similar security challenges that parallel traditional security, we must understand that AI requires new ways to approach security. (Matt Honea) * * Flipboard Reddit Whatsapp Whatsapp Email * * * POPULAR TOPICS * Cybersecurity News * Industrial Cybersecurity SECURITY COMMUNITY * Virtual Cybersecurity Events * Webcast Library * CISO Forum * AI Risk Summit * ICS Cybersecurity Conference * Cybersecurity Newsletters STAY INTOUCH * Cyber Weapon Discussion Group * RSS Feed * Security Intelligence Group * Follow SecurityWeek on LinkedIn ABOUT SECURITYWEEK * Advertising * Event Sponsorships * Writing Opportunities * Feedback/Contact Us NEWS TIPS Got a confidential news tip? We want to hear from you. Submit Tip ADVERTISING Reach a large audience of enterprise cybersecurity professionals Contact Us DAILY BRIEFING NEWSLETTER Subscribe to the SecurityWeek Daily Briefing and get the latest content delivered to your inbox. * Privacy Policy Copyright © 2024 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved. DAILY BRIEFING NEWSLETTER Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time. Close