In late March, President Biden announced a massive infrastructure spending proposal with broad impacts on a variety of infrastructure types across the country. Included in the proposal was at least $111 billion in spending on water infrastructure improvements, much of it focused on eliminating pollutants and ensuring that the water that reaches individuals’ homes is safe to drink. However, this initial proposal did not include dedicated funding to secure the nation’s water supply from emerging cyber threats or to strengthen the cybersecurity requirements for water treatment facilities, which are desperately needed to protect our water supply from potential cyber threats.
In just the past few months, authorities have uncovered attempts by bad actors to tamper with public water supplies in Oldsmar, Florida, and in Ellsworth County, Kansas. In both instances, attackers illegally leveraged remote access capabilities in an attempt to alter the balance of chemicals used to treat public drinking water – changes that could poison or kill thousands of people.
In the Oldsmar case, an unknown intruder attempted to poison the public water supply by drastically increasing the amount of sodium hydroxide used in the water treatment process. The chemical, commonly known as lye, is used in small doses to safely treat drinking water but is deadly in larger concentrations. The attempt to poison Oldsmar’s drinking water was thwarted by timely intervention of an observant operator, who quickly corrected the chemical balance and alerted supervisors, while automated systems would have prevented the release of the poisoned water.
In Kansas, a former employee remotely accessed the computer systems that manage the county’s water treatment plant, shutting down the water cleaning and disinfecting processes to render the water undrinkable and perhaps dangerous to residents. Fortunately, the disgruntled former employee was unable to achieve meaningful damage, as no untreated water was released from the plant.
While the timely intervention of authorities prevented public harm in these cases, both demonstrate the significant threat posed by cyber-attacks to our vulnerable public water infrastructure. The reality is that the more than 50,000 community water systems in the United States do not have to meet any sort of national cybersecurity standard and are not resourced to implement and maintain existing best practices, such as those from the Water Information Sharing and Analysis Center. In the case of Ellsworth County, Kansas, the investigation into the cyber intrusion of the facility found that the treatment plant used outdated, unsupported software, allowed for remote access to the facility via the open internet, and permitted staff to share passwords and user accounts. The country can, and must, do better by building on existing efforts to secure our water infrastructure.
The security of water treatment systems in the United States did not become a major focus in the country until after the 9/11 attacks, when concerns over the security of our water supplies largely pertained to the threat of bioweapons. The 2002 Bioterrorism Act, passed as part of the flurry of domestic security-focused legislation, required the largest community water systems to assess vulnerabilities and prepare emergency response plans. However, those requirements were focused on physical threats to the water supply, such as the introduction of a pathogen either within a water reservoir or at a water treatment plant. The Act and its supporters did not envisage the types of remote attacks or the usage of the treatment process itself as a weapon to poison our water.
The criticality of our water infrastructure was also acknowledged in Homeland Security Presidential Directive 7 (HSPD-7), which designated the water sector as critical infrastructure and directed the Environmental Protection Agency, the governmental lead for water system protection, as well as the Department of Homeland Security to develop a sector-specific security plan. These efforts, bolstered by the creation of the National Infrastructure Protection Plan in 2013, allow DHS and the EPA to coordinate sector security efforts and help utilities with the conduct of vulnerability assessments and development of emergency response plans. While the EPA and DHS do provide utilities, public or private, with limited technical and, more importantly, financial assistance, the reality is that these resources are a drop in the bucket relative to the scale of investment likely needed to address cyber risks.
The America’s Water Infrastructure Act, signed into law in 2018, expanded past security efforts by requiring the country’s largest water systems to conduct security-risk reviews, including for cybersecurity threats. While the reviews for larger providers have been completed, smaller suppliers have either yet to complete their reviews or are exempt. The Act also stopped short of creating specific national standards or requirements for the cybersecurity of water treatment facilities.
These recent attacks on our public water infrastructure highlight the urgency for action. Many systems are well positioned to leverage the findings of their congressionally mandated security-risk reviews to make the cybersecurity investments needed to secure our public water supplies. The administration’s proposed infrastructure bill and ongoing negotiations in Congress offer an opportunity for the United States to dedicate resources to properly secure our water treatment facilities from cyber threats for the first time. The recent events in Kansas and Florida only highlight the dangers posed by passivity.
Security investments have, historically, taken a back seat to those intended to improve decaying physical infrastructure, such as leaking pipes, lead water lines, and outdated treatment facilities. But the desire to control costs and focus on the most immediate problems has created a chronic underinvestment in the security of our water systems. We now have the opportunity to address this perennial neglect by dedicating funds to shore up the cybersecurity infrastructure protecting our public water supplies. Given the potential devastating impact of a cyber attack even on a small community’s water systems, we can, and must, immediately take action.