Well that is certainly not a comforting thought.
Last month the public water supply in a small town in Florida was hacked. Only PURE DUMB LUCK protected those citizens. Did the hacker use exotic unknown vulnerabilities to compromise the system? No. The city didn’t even have a firewall, was using software that was no longer being patched, and shared passwords that were never changed.
The mayor of the town declared victory. He said that the staff executed to perfection. In reality, they were lucky that an operator happened to see the hacker move the cursor on the screen after the hacker increased the amount of a poisonous chemical being added to the water by 100 times. This is not perfection. This is more like thankfully, we are not overseeing a mass funeral.
Experts say that these very basic protections are missing in many of the country’s 150,000 public water systems.
Admiral Frank Montgomery, executive director of the Congressionally chartered Cyberspace Solarium Commission likened it to a pilot landing after an engine caught fire in mid-air. Thankfully, we averted a major disaster.
The city claims that they have redundant electronic monitors at the plant to protect citizens. So did the utilities in Ukraine, but that didn’t stop the Russians from blowing up that pipeline several years ago.
The problem does get ugly from time to time (and smelly).
In 2000, a former municipal wastewater contractor in Australia, rejected for a city job, remotely manipulated computer control systems to release 264,000 gallons of raw sewage, which poured into public parks, turned creek water black, spilled onto the grounds of a Hyatt Regency Hotel and generated a stench that investigators called “unbearable.”
This is not news.
As long ago as 2011, Homeland Security warned that hackers could gain access to American water systems using free and easily available Internet tools.
Booz Allen Hamilton said, in 2019, that America’s water utilities are a perfect target for cyberattacks.
And the Cyberspace Solarium Commission last year said that America’s water systems “remain largely ill-prepared to defend their networks from cyber-enabled disruption.”
But Congress fixed the problem in a 2018 law. Now every US water system serving more that 3,300 customers has to conduct a self-assessment of risks. That makes me feel better already. Oh, yeah, the assessments are not due yet, over two years after the law was signed. Tens of thousands of small systems are exempt. These utilities don’t have to do anything with the report. They don’t have to submit it to anyone. They just have to pinky-promise the EPA that they did one. And Congress allocated $30 million to fix any problems. For those that don’t have a calculator handy, that is $200 for each of the 150,000 public water systems. That should handle it.
The EPA is not much better. They said that drinking water systems need $472.6 billion in long-term fixes. But didn’t mention cybersecurity even once.
Part of the problem is money. Another part is an industry full of old timers who understand water but are pretty clueless when it comes to cyber. Finally, regulators are asleep at the switch. None of this bodes well for our safety.
Bottom line is that these water systems are crossing their fingers and hoping nothing happens. While the odds are good in the aggregate, I suspect public opinion will change the first time we kill a few thousand people because we didn’t think it was going to happen here. Credit: Propublica