On February 5, 2021, Oldsmar, Florida’s water treatment plant operators found themselves under attack. A hacker infiltrated the facility’s system and attempted to increase the water’s level of sodium hydroxide to over 100 times its normal amount. While sodium hydroxide is commonly used in water and wastewater treatment to remove heavy metal particles, large amounts of sodium hydroxide are poisonous to humans and can be deadly.
While not the first of its kind, this cyber breach brought the imminent threat of cyberterrorism into the national spotlight.
“This incident is opening a lot of people’s eyes because public health is connected to systems that have cybersecurity vulnerabilities,” said Miranda Mello, a senior water supply engineer at the Department of Natural Resources, regarding the cyber-attack.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) notes that around 75% of the U.S. population relies on public wastewater services, while over 80% of the country’s population receives potable water from public water services. According to CISA, a targeted cyber-attack could result in “large numbers of illnesses or casualties and/or a denial of service that would also impact public health and economic vitality.”
The State of Utility Cybersecurity Today
Two years after the Oldsmar incident, the U.S. Environmental Protection Agency (EPA) is sounding the alarm about the increased need for stronger cybersecurity for our utilities.
According to EPA Assistant Administrator for Water Radhika Fox, “Cyber-attacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable. Cyber-attacks have the potential to contaminate drinking water, which threatens public health.”
This year, Congress appropriated funds to a new EPA grant program intended to help build public water systems’ resilience in the face of natural disasters and cyber threats. This program provides grants to assist water systems with improving their resilience to extreme weather or expanding their cybersecurity programs. EPA has also issued new requirements and guidance for public water systems regarding increased cybersecurity measures.
Cybersecurity Points of Action
Building cyber resilience may sound intimidating, especially if your crew is already stretched thin. Luckily, there are some simple solutions available that’re easily implemented by any utility.
- Practice good cyber hygiene. Use a unique password for every site you frequent and utilize multi-factor authentication whenever possible.
- Learn how to identify potential scams. Keep an eye out for emails or text messages from unknown senders, particularly those that ask for your personal information.
- Update your operating system and software. This ensures that your technology has the most recent safeguards in place.
- Get advice from the experts. CISA, EPA and other agencies offer free cybersecurity resources, including training opportunities, that are available to the public.
Looking for more ways to increase your utility's resilience? Check out Envirosight's blog post on how to prepare for extreme weather events.