Water distribution networks are traditionally challenged by ageing infrastructures, inadequate pipes control and maintenance, or by seasonal problems such as pipes freezing and busting in Winter. But water utilities are increasingly threatened by another big issue, that is cybercrime.
A worrisome episode was reported last week in Florida, US, where a hacker attacked the water supply plant in Oldsmar. The intruder breached the plant control systems through a remote access program normally restricted to plant workers and managed to increase the amount of lye — sodium hydroxide — by a factor of 100. Lye is used to lower acidity, but in high concentrations it is highly caustic and can burn.
A supervisor monitoring the plant console saw a cursor move across the screen and change settings, and was able to immediately reverse it. Local population (about 15,000 people) did not suffer a real peril, since the existing monitoring systems would have soon detected the chemical alteration and avoided it to affect the water supply. Nevertheless, the case had huge coverage and raised alarms about how vulnerable water systems are to cybersecurity attacks.
Most municipal water utilities are quite underfunded and under-resourced; they have a very small IT staff and frequently no dedicated security staff at all. This makes them a soft target for cybercrime.
A 2020 paper in the Journal of Environmental Engineering found that water utilities are being hacked by a variety of actors, including disgruntled former employees, skilled cybercriminals looking for ransom and profit, and even state-sponsored hackers. Although such incidents have been relatively few so far, the risk is getting higher and requires immediate action to be mitigated.
The Biden administration has already signaled its intention of investing more in cybersecurity. The Department of Homeland Security issued 25 advisories listing various industrial control systems that could be vulnerable to hacking, mentioning water and energy distribution networks together with other urban infrastructures such as video surveillance cameras.
Want to learn more about our cybersecurity and blockchain-powered approach to smarter cities and utilities? Watch our webinar (free ondemand access, no registration required) or contact our cybersecurity experts!