A Bill was passed by Congress in 2018 that was meant to prevent cyber-security breaches on America’s 167,000 public water systems and water treatment plants. An analytics team at Booz Allen Hamilton published a paper that found our country’s water utilities to be “a perfect target” for cyber-attacks. The paper stated, “Government-backed adversaries may increasingly penetrate the industrial control systems (ICS) of water utilities to conduct reconnaissance and generate fear and uncertainty, mirroring their historical focus on frequent intrusions and rare disruptions at energy firms.”
The requirements in the Bill do little to address the danger of an entity hacking into our drinking water distribution facilities. For example, it allows any system that serves less than 3,300 people to be exempt from the regulations placed by the Bill. According to the University of Massachusetts (Amherst), that’s 94% of the water systems in America. The remaining 6% are required to self-assess the strength of their physical and electronic systems. They are also instructed to create an emergency-response plan if they do not already have one in place.
The Department of Homeland Security advised that the American water system could be easily hacked in 2011, but most water systems in the country have been focused on physical risks like storms and leaks. Very few have IT professionals on staff, and that problem has been made worse because of remote management necessitated by the current pandemic. Most are also small and have little money to spare on luxuries like safeguards against cyberattack. According to the Executive Director of the Cyberspace Solarium Commission, Adm. Mark Montgomery (ret), water systems have had
“one guiding principle over the last 50 years: increased automation to lower the size of the workforce to keep costs down. Along with that, there should have been an investment in the cybersecurity of the infrastructure. But that did not happen.”
In February of 2021, the water treatment plant in Oldsmar, FL was hacked and a mass-poisoning almost took place. Who the hacker(s) was/were remains unknown, but whoever it was tried to increase the amount of sodium hydroxide in the water by over 110 times. This amount of the caustic chemical would severely damage any human organs with which it came into contact. The hack was discovered before anything bad occurred, but it also happened after the Bill was passed by Congress that claims to try to prevent this kind of invasion.
There have been many, many attacks on entire water systems, not just drinking water. In 2015, the Department of Homeland Security reported 25 security incidents regarding water — a 79% increase over 2014. US Intelligence services have affirmed that the security of both water and wastewater sectors are at direct risk of being cyber attacked by foreign governments and lone criminal actors. In 2020, the Journal of Environmental Engineering published a review that found “an increase in the frequency, diversity, and complexity of cyberthreats to the water sector.”
The 2018 Congressional water bill allocated $10 million to help small water facilities pay to upgrade security measures, but has not appropriated the money. With over 155,000 facilities qualifying as small, $10 million cannot be sufficient to make the improvements necessary, even if it does get handed out.
By: Ellie Cabell
Want to join the clean water revolution? IX Water is now crowdfunding on StartEngine: https://www.startengine.com/Ix-Water
Sources:
https://www.wired.com/story/oldsmar-florida-water-utility-hack/
https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/publications/booz-allen-2019-cyber-threat-outlook.pdfhttps://www.awwa.org/Portals/0/AWWA/Government/AWWACybersecurityRiskandResponsibility.pdf
https://www.wsj.com/articles/u-s-water-supply-has-few-protections-against-hacking-11613154238