“Not a hypothetical”: US water systems at risk from cyber attacks

By Shannon Kelleher

It’s been a little over two years since an unknown attacker tried to poison the water supply in Oldsmar, Florida by hacking into the computer system for the town’s treatment facility and boosting levels of sodium hydroxide in the water to perilously high levels.

An observant plant operator took immediate action to block the efforts before any damage was done. But as one of several similar efforts to tamper with US water systems, the February 2021 incident in Florida provides a stark warning of how vulnerable US water systems can be.

Now, US officials say these so-called “cyber threats” to drinking water supplies are growing, and they are pushing public water systems to tighten security around this type of threat. The Environmental Protection Agency (EPA) warned in a March 3 memorandum that many of the nation’s public water systems are at “high risk of being victimized by a cyber-attack” because they have failed to adopt basic protections.

“When we think about cybersecurity and cyber threats in the water sector, this is not a hypothetical,” EPA Assistant Administrator for Water Radhika Fox said at a press briefing earlier this month. “This is happening right now. We have seen these types of attacks from California to Florida, Kansas, Maine, and Nevada.”

The warnings follow a 2021 joint advisory issued by the EPA, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Agency (CISA), and the National Security Agency (NSA) that called on the water sector to implement protective measures. China-based hackers are a particular concern amid heightened geopolitical tensions.

US security experts have recently warned that China may attempt to create “chaos” in America through various means, including polluting US water systems via cyber attacks.

But the threats also come from within. In a 2019 incident, a former employee of a water facility in the small, rural community of Ellsworth County, Kansas used his cell phone to remotely log into the facility’s system and shut down processes the plant uses to clean and disinfect water. The EPA said the man’s actions “threatened the safety and health of an entire community.”