On February 5, 2021, Oldsmar, Florida’s water treatment plant operators found themselves under attack. A hacker infiltrated the facility’s system and attempted to increase the water’s level of sodium hydroxide to over 100 times its normal amount. While sodium hydroxide is commonly used in water and wastewater treatment to remove heavy metal particles, large amounts of sodium hydroxide are poisonous to humans and can be deadly.
While not the first of its kind, this cyber breach brought the imminent threat of cyberterrorism into the national spotlight.
“This incident is opening a lot of people’s eyes because public health is connected to systems that have cybersecurity vulnerabilities,” said Miranda Mello, a senior water supply engineer at the Department of Natural Resources, regarding the cyber-attack.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) notes that around 75% of the U.S. population relies on public wastewater services, while over 80% of the country’s population receives potable water from public water services. According to CISA, a targeted cyber-attack could result in “large numbers of illnesses or casualties and/or a denial of service that would also impact public health and economic vitality.”
Two years after the Oldsmar incident, the U.S. Environmental Protection Agency (EPA) is sounding the alarm about the increased need for stronger cybersecurity for our utilities.
According to EPA Assistant Administrator for Water Radhika Fox, “Cyber-attacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable. Cyber-attacks have the potential to contaminate drinking water, which threatens public health.”
This year, Congress appropriated funds to a new EPA grant program intended to help build public water systems’ resilience in the face of natural disasters and cyber threats. This program provides grants to assist water systems with improving their resilience to extreme weather or expanding their cybersecurity programs. EPA has also issued new requirements and guidance for public water systems regarding increased cybersecurity measures.
Building cyber resilience may sound intimidating, especially if your crew is already stretched thin. Luckily, there are some simple solutions available that’re easily implemented by any utility.
Looking for more ways to increase your utility's resilience? Check out Envirosight's blog post on how to prepare for extreme weather events.