Protecting Your Water System from Hackers
The recent cyber assault of a Florida water treatment plant’s computer system underscores that strong cybersecurity infrastructure and training are essential for protecting water systems’ most vulnerable assets.
The American Water Infrastructure Act of 2018 (AWIA) aims to help communities protect against just this type of threat — a cyberattack or water contamination — by requiring utilities to conduct a Risk and Resilience Assessment. (Small utilities should be undertaking those assessments now to meet a June 30, 2021, deadline; large and medium-size systems should already have completed theirs.)
The Florida incident in Oldsmar, near Tampa, illustrates important lessons:
Vigilant operators protect water systems and save lives, making training and awareness crucial. According to news reports, the water utility employee saw that his computer was being manipulated and alerted his employer, who notified law enforcement authorities. Through quick action, the operator was immediately able to reverse a malicious command by the hacker that had increased the sodium hydroxide added to the water. the observant operator’s actions prevented harm to the community’s water supply.
Adequate protection requires multiple layers. Remote-access systems need to have safeguards, and the water treatment system requires redundancies and checkpoints for monitoring water quality before it is distributed to the public.
Any size system can be a target. The Florida utility serves about 15,000 customers. No system should assume it is immune from risk.
Resources about best practices are available. The water industry understands the threat cyber crime poses to critical infrastructure and has developed multiple tools to help guide managers and operators in strengthening their systems. Among them:
- Cybersecurity & Guidance from the American Water Works Association
- 15 Cybersecurity Fundamentals for Water and Wastewater Utilities from the Water Information Sharing and Analysis Center (WaterISAC), a nonprofit organization established as part of the 2002 Bioterrorism Act.
Freese and Nichols has assisted dozens of utilities of all sizes in their AWIA Risk and Resilience Assessments. Please contact us to see how we can help you with securing your system to reduce the threat of a cyberattack.