Many water and wastewater utilities, particularly small systems, lack the resources for a cyber security program. Many utility personnel may believe that cyber attacks do not present a risk to their systems or feel that they lack the technical capability to improve their cyber security.
Earlier this year, hackers accessed the water treatment plant of a small Florida city. According to the Tampa Bay Times, the intrusion only lasted between three and five minutes. In that time, the level of sodium hydroxide being fed to the city of Oldsmar, Florida was changed from 100 to 11,100 parts per million. It took five and a half hours for an employee to notice the change
“This is dangerous stuff,” Pinellas County Sheriff Bob Gualtieri said at a news conference. Consumed in large quantities, sodium hydroxide can cause vomiting, chest and abdominal pain, skin burns, even hair loss, according to the Centers for Disease Control.
Kansas Rural Water
In April of this year, a U.S. grand jury indicted a 22-year-old man for allegedly hacking the computer system of a rural water utility in Kansas and shutting down processes that affect procedures for cleaning and disinfecting water.
Federal prosecutors allege in an indictment that Wyatt Travnichek logged into Ellsworth County Rural Water District’s computer system in 2019 as part of an “unauthorized remote intrusion” that resulted “in the shut-down of the facility’s processes.”
Of all the U.S. critical infrastructure, water might be the most vulnerable to hackers. It’s the hardest to guarantee everyone follows cyber security steps and the easiest to cause significant, real-world harm to large numbers of people.
According to Cybersecurity and Infrastructure Security Agency (CISA) survey, only several hundred out of more than 50,000 across the U.S. choose to use CISA’s services. It also noted that as many as 1 in 10 water and wastewater plants had recently found critical cyber security vulnerabilities. And that more than 80% of the significant vulnerabilities that the surveyed facilities had were software flaws discovered before 2017, indicating a rampant problem of employees not updating their software.
There is hope and help
Basic cyber security best practices can be carried out by utility personnel as long as they have cyber security specialists audit their system and get cyber hygiene training for their employees.