Jan 15, 2021:
Hacker accessed SF Bay water treatment plant, deleting drinking water treatment programs
Feb 8, 2021:
Hacker broke into Florida town’s water supply and tried to poison it with lye
Jun 17, 2021:
50,000 security disasters waiting to happen: the problem of America’s water supplies
The headlines read like the plot from a Hollywood disaster movie: hackers gain access to a community’s water supply, poisoning a population. Recent breaches in two American water treatment facilities highlight the uncomfortable fact that this is not simply a nightmare scenario manufactured for the big screen, but is instead a very real threat. Read on to learn more about vulnerabilities in many water treatment facilities, how hackers have been able to breach security, and what resources are available to help combat this risk to our nation’s water supply.
Who are the hackers?
As Georgetown University’s School of Foreign Service professor Ben Buchanan pointed out, if the attacker is an outside agent, the breach would require reconnaissance to learn the system well enough to sabotage it. In many cases, Buchanan noted, the attacker is a disgruntled employee who already knew the system. In the Oldsmar, Florida case, a hacker compromised the plant’s remote access software to change the water supply’s sodium hydroxide setting from 100 parts per million to 11,110. Sometimes the “hack” is nothing more than simple compromised login credentials. The San Francisco water treatment breach was caused by someone logging in using a former employee’s username and password. The identity and motive of hackers often remain a mystery. For both the Florida and California attacks, the actors responsible remain unknown at the time of this blog. Whether the hackers are former employees with a score to settle, ransomware thieves like those who targeted the Colonial Pipeline in May, or even state-sponsored attacks such as that on SolarWinds in 2020, the fact remains: water supply infrastructure is an “increasingly popular target.”
Understanding the vulnerabilities
Unlike other utilities which have been tasked with “increasingly stringent rules” for physical and cybersecurity, drinking water treatment facilities across the United States remain inconsistent, and don’t have to meet any national standard for cybersecurity. As J. Alan Roberson, executive director of the Association of State Drinking Water Administrators, noted, the “largest water systems are best prepared for cyberattacks because they’re heavily invested in addressing security threats.” However, of 50,000+ drinking water treatment plants across the United States, smaller water facilities often do not have the technology or resources to address cyberthreats, and are often run by a handful of employees.
What can be done?
It’s not all doom and gloom, however. The United States government has increasingly recognized the threat, and given water treatment facilities tools and funding to beef up their overall plant security. Three promising developments include:
- The American Water Infrastructure Act of 2018 (AWIA). This Act requires systems serving more than 3,300 to complete a risk and resilience assessment and develop an emergency response plan. While the AWIA does not require the use of “any standards, methods or tools” for the assessment, it does provide criteria for assessing the effectiveness of existing or proposed assessment tools as well as an utility risk assessment for discovering areas of strength and those requiring remediation. (For more information about the AWIA and how Clark Dietz can help, check out our previous blog post, What You Need to Know About Risk and Resilience Assessments.)
- The American Rescue Plan Act of 2021 (ARPA) provides $65.1 billion in direct aid to counties for infrastructure measures, including efforts to improve access to clean drinking water and support wastewater and stormwater infrastructure. One of the eligible uses for the water and sewer infrastructure includes “security measures at publicly-owned treatment works” under the EPA’s Clean Water State Revolving Fund (CWSRF). (Find more information about ARPA on our blog - Clark Dietz: Your Partner in American Rescue Plan Act).
2021 Executive Order on Improving the Nation’s Cybersecurity. The Order signed by President Biden on May 12, 2021, recognizes the “persistent and increasingly sophisticated malicious cyber campaigns” that threaten the United States. While it’s unclear whether this Executive Order will help on its own, it does signify a willingness of the federal government to take such threats seriously and provides a framework for Administration policy regarding cybersecurity threats.
We can help.
Between the new rules on required security, increased threat of cyberattacks, a policy change in the current administration exhibiting an interest in addressing treatment plant threats, as well as newly allocated federal funding, a compelling case may be made that beefing up the security at water treatment facilities should be a nationwide priority. Clark Dietz is your partner in achieving and maintaining compliance in the face of changing guidelines, determining projects that best serve your community’s individual needs, and for procuring funding to do work to keep your water supply (and your residents) safe. Contact us to get started!
Illinois: Andrea Bretl
Wisconsin: Diane Thoune