Ex-employee tampered with Kansas water plant, feds say, a sign of online vulnerability

Sometimes it’s not some elite Korean team that’s tampering with the water supply. Does your threat model include ex-employees? …:

[…] No centralized database of attacks exists, but the Department of Homeland Security responded to 25 water cybersecurity incidents in 2015, according to a 2016 reportprepared for the Department of Energy. The true number of attacks is almost certainly higher and growing.

Yet even as the cyberthreat looms, small water systems like Post Rock face daunting challenges in securing their computers, The Star found.

These small utilities often don’t have the resources to hire dedicated information technology staff. Employees juggle multiple roles, with cybersecurity just one in a long list of items to check on. And any significant financial investment — including for cybersecurity — may raise the prospect of higher rates.

“As far as cities having an IT person, I just don’t know of any our size,” said Bill Shroyer, assistant city administrator in Sabetha, in northern Kansas, and president of the Kansas Rural Water Association. “And if we did have an IT person, they better know how to repair pot holes, fix water leaks, pick up snow and everything else that we do.”

[…]

Original article