Cybersecurity at municipal water utilities has been a growing concern in recent years, but the latest hack into a small Florida city’s water supply is shining a spotlight on the scope of the vulnerability and the challenges of preventing something similar from happening most everywhere else.
It happened when a hacker breached a system network and took control of a computer in Oldsmar, which is near Tampa. The hacker attempted to increase the level of sodium hydroxide in the water to dangerous levels, but the effort failed when an astute utility employee noticed what was happening and made a correction before it went to customers.
Although it was thwarted, the hack shows just how vulnerable water utilities are to being attacked. Security experts cite a confluence of factors for the growing problem, including a lack of funding; understaffed IT departments, which in some cases have no staff dedicated to cybersecurity; less uniformity in technology and security measures; and utility computer networks becoming much easier to reach online, especially with the addition of remote monitoring.
In other words, it’s likely going to take significant investments in people and technology at the local level to get a handle on the issue.
The 2018 America’s Water Infrastructure Act requires utilities to complete a risk and resiliency assessment that must include cyber threats to enterprise systems and process control systems. This incident should underscore the urgency of that work, said AWWA CEO David LaFrance, in a statement.
“We are not powerless against cyber threats,” LaFrance said. “There are resources available to help utilities of all sizes.”
This includes AWWA’s Water Sector Cybersecurity Risk Management Guidance and the accompanying assessment tool, which are free at www.awwa.org/cybersecurity, as well as a Cybersecurity Risk & Responsibility in the Water Sector report and other eLearning opportunities and documents.
Even though the Florida hack failed, it has gotten the attention of top security policymakers. This includes Senate Intelligence Committee Chairman Mark Warner (D-Va.), who wrote the FBI and EPA to request an update. Warner has voiced concerns that the hack has wider implications. The FBI as well as other state and federal agencies opened an investigation into the incident. However, while potential hacks like the Florida incident sound alarming, some scientists say the damage to public trust in utilities is a much greater risk than the possibility of harm being caused by an intrusion because water problems are often found quickly. That group is also more concerned about the looming threats of deferred repairs, watershed pollution, and climate change
