Let’s face it – we’ve been expecting this to happen eventually. The Feb. 5 cyberattack at the Bruce T. Haddock Water Treatment Plant in Oldsmar, FL comes as no surprise. A cyber attacker was able to exploit weaknesses in the plant’s computer network to remotely access the system and manage the treatment of the water, raising the levels of sodium hydroxide in the water from about 100 parts per million to more than 11,000. Sodium hydroxide, also known as caustic soda or lye, is added to the water in small doses to control pH but can be toxic at very high doses. Although the change the attackers made to the city’s water treatment process was quickly reversed, experts said it got further than any other hacking attempt to physically impact critical infrastructure in the U.S.
A 2019 report from the American Water Works Association (AWWA) cited an assertion by multiple federal agencies that cyberattacks were the biggest threat to America’s critical infrastructure.
With cyberattacks on businesses and government computer systems occurring daily, it was only a matter of time before hackers focused their attention on critical water infrastructure. Rest assured, the national news coverage on this latest event will serve to incite other nefarious individuals to launch even greater attacks on other water systems.
A 2019 report from the American Water Works Association (AWWA) cited an assertion by multiple federal agencies that cyberattacks were the biggest threat to America’s critical infrastructure. It also noted that there have been high-profile attacks on water providers in recent years, including one on Atlanta utilities that left employees unable to turn on their work computers for a week after the attack.
This latest attack underscores the importance of protecting America’s critical water infrastructure from both natural- and human-induced risks, as well as being prepared to respond when emergencies occur. The Americas Water Infrastructure Act of 2018 (AWIA) requires that all water systems perform a Risk and Resilience Plan (RRP) and an Emergency Response Plan (ERP). The RRP should be comprehensive and evaluate risks at every level in the system, as well as its ability to respond and withstand various levels of disruptions. With these attacks becoming a regular occurrence, I suggest cyber security should be a critical component of any RRP and ERP.
Currently considered during a required risk and resilience assessment:
- risks to the system from malevolent acts and natural hazards
- resilience of system components
- monitoring practices
- financial infrastructure of the utility
- use, storage, or handling of various chemicals
- operation and maintenance
- evaluation of capital and operational needs for risk and resilience management
System components to be considered:
- constructed conveyances
- physical barriers
- source water
- raw water collection and intake
- storage and distribution facilities
- electronic, computer, and other automated systems
RK&K specializes in providing the necessary guidance to municipal water systems in preparing RRPs and ERPs that identifies system vulnerabilities, as well as preparing plans on how to respond when – not if – emergencies happen. RK&K has helped some of the largest utilities in the country to complete their ERPs.
RK&K has helped some of the largest utilities in the country to complete their ERPs.
When considering cybersecurity, our team generally applies AWWA’s Cybersecurity Guidance and Assessment Tool, which has been updated to maintain alignment with the National Institute of Standards and Technology (NIST) Cybersecurity Framework and Section 2013 of America’s Water Infrastructure Act (AWIA) of 2018. AWWA’s assessment tool offers the most comprehensive approach for protecting critical water and wastewater computer networks.
The next time when your team performs an RRP or ERP, remember these recent news-making case studies. What should be considered to prepare for a potential cyberattack and what can we, as professionals, do to assist our clients? After all, the best defense is a good offense.