“Not a hypothetical”: US water systems at risk from cyber attacks
[This story was updated 5/8/23 to reflect recent information indicating the Oldsmar event may have been an instance of user error rather than a cyber attack.]
It’s been a little over two years since an unknown attacker allegedly tried to poison the water supply in Oldsmar, Florida by hacking into the computer system for the town’s treatment facility and boosting the sodium hydroxide — lye — in the water to perilously high levels.
Recently, information came to light suggesting the harrowing incident never happened. Al Braithwaite, the city manager at the time of the scare, said at a conference that an FBI investigation concluded “there was nothing, no evidence of any access from the outside, and that it was likely the same employee that was purported to be a hero for catching it, was actually banging on his keyboard.”
“Through the course of the investigation the FBI was not able to confirm that this incident was initiated by a targeted cyber intrusion of Oldsmar,” the FBI said in a statement.
But while the Oldsmar incident may have been a false alarm, US officials warn that real “cyber threats” to drinking water supplies are growing, and they are pushing public water systems to tighten security around this type of threat. The Environmental Protection Agency (EPA) warned in a March 3 memorandum that many of the nation’s public water systems are at “high risk of being victimized by a cyber-attack” because they have failed to adopt basic protections.
“When we think about cybersecurity and cyber threats in the water sector, this is not a hypothetical,” EPA Assistant Administrator for Water Radhika Fox said at a press briefing earlier this month. “This is happening right now. We have seen these types of attacks from California to Florida, Kansas, Maine, and Nevada.”
The warnings follow a 2021 joint advisory issued by the EPA, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Agency (CISA), and the National Security Agency (NSA) that called on the water sector to implement protective measures. China-based hackers are a particular concern amid heightened geopolitical tensions.
US security experts have recently warned that China may attempt to create “chaos” in America through various means, including polluting US water systems via cyber attacks.
But the threats also come from within. In a 2019 incident, a former employee of a water facility in the small, rural community of Ellsworth County, Kansas used his cell phone to remotely log into the facility’s system and shut down processes the plant uses to clean and disinfect water. The EPA said the man’s actions “threatened the safety and health of an entire community.”
Contaminating or cutting off access to a community water supply can have devastating consequences, and US water systems have only narrowly dodged potential public health crises, according to Annie Fixler, director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies (FDD).
“People can go for a couple of days without electricity and it’s very challenging,” said Fixler. “People cannot go for a couple of days without water.”
Roughly 90% of people living in the US rely on the nation’s more than 148,000 public water systems for their drinking water, according to the EPA.
The rise in cybersecurity risks for US water and wastewater systems is largely due to the fact that water utilities have come to rely on automated computerized technology to manage day-to-day operations, and those systems can be vulnerable to skilled computer hackers who can wreak havoc from virtually anywhere in the world, said Paul Stockton, president of a strategic advisory firm and former Assistant Secretary of Defense for Homeland Defense during the Obama administration.
“The risk of attacks on water systems and wastewater systems is especially concerning because they are of foundational importance to public health and safety, and therefore could be attacked by China or other adversaries in order to incite panic and chaos across our country,” he said.
Some of the threats are focused on money – holding water systems hostage for ransom. In 2018, hackers launched a ransomware attack on Atlanta, encrypting city data and demanding a bitcoin payment worth $51,000. Employees with Atlanta’s water system were unable to turn on their computers or gain wireless internet access for about a week.
While ransomware attacks involving the water sector are not common, some have been “pretty significant,” according to Chuck Weissenborn, a regional manager at the cybersecurity company Dragos and co-chair of an infrastructure cyber committee at the National Defense Industrial Association.
Water systems can also be compromised as part of broader attacks that impact whole supply chains. Between October 2019 and December 2020, 73 water systems were attacked after Russian hackers breached the networks, systems, and data of thousands of organizations by injecting malicious code into widely-used software.
“We’re seeing more supply chain-focused attacks lately,” said Weissenborn.
Cyber attacks on water and wastewater systems could ripple through communities in many harmful ways, including disrupting fire-fighting capabilities, exercises at military bases, and life-saving work at medical facilities, according to a 2021 report prepared for the American Water Works Association written by Stockton.
Last year, the EPA’s Office of Inspector General reported that the rate of cyber attacks on water systems has skyrocketed in recent years. Between October 2006 and August 2013, the EPA recorded three such incidents, compared to 41 in the six years that followed, according to the report.
The actual number of attacks may be higher, according to Fixler, given that there is currently no requirement for utilities to report incidents. That is changing. Last March, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which mandates development of regulations that require 16 critical infrastructure sectors, including water and wastewater systems, to report cyber incidents and payments to ransomware attackers.
As part of the Biden Administration’s latest effort to address threats to the water sector, the EPA memorandum released in early March requires that states include cybersecurity as part of the “sanitary survey” they already use to evaluate physical vulnerabilities in local water systems. Currently, evaluations focus on security of physical structures; the new requirement will mandate that systems look for weaknesses in their operational technology.
Some cybersecurity experts view the measure as a welcome advance towards a more secure water sector.
“I really appreciate that approach because what they’re doing is they’re taking an existing process and figuring out a way to leverage it,” said Weissenborn. “This is obviously step one and it’s an important step in the right direction.”
But others worry that the EPA is taking a wrong turn by relying on sanitary surveys to assess cyber risks to water utilities. Some industry experts are concerned that information about cybersecurity vulnerabilities that is included in sanitary surveys could become public, said Fixler. Others say asking already overburdened water officials to evaluate cyber threats won’t garner the protection needed.
“My concern is that state water officials and their partners in industry already have their hands full, meeting basic water safety and purity requirements in an era of aging water infrastructure and persistent underinvestment in water pipes and other system components,” said Stockton.
“To ask those officials, many of whom have very little cyber expertise, to add cyber resilience to their portfolio is a very difficult way forward.”
“What we need is the establishment of industry-led cybersecurity standards to ensure that all utilities that are of a suitable size can meet these requirements and build nationwide resilience against attacks on the water sector,” he said.
(Featured Image: filtration ponds. Photo by Ivan Bandura on Unsplash.)