As the coronavirus pandemic stretches past a year, the world has become accustomed to facing problems we rarely, if ever, anticipated before. These new challenges extend beyond logistical work-from-home issues to graver concerns: For example, how do we keep our water systems safe from hackers?
In Florida, a water treatment plant ran into that very issue in February 2021 when a hacker breached its remote system. The hacker, who is still unknown, reportedly adjusted the sodium hydroxide — added to alkalize water and limit lead leaching from pipes — in the city’s water to poisonous levels. While the threat was quickly addressed, the incident highlighted the weaknesses of remote access operations.
The Florida water plant is far from the only utility that’s fallen victim to a cyberattack. Similar threats have happened in Colorado, too. For example, in 2019, hackers demanded a ransom from a couple of northern Colorado water districts. (The districts were able to resolve the issue on their own). The Cybersecurity and Infrastructure Security Agency, or CISA, works to help organizations bolster their technology and counter cyberattacks.
“Water utilities face the same types of cyberattacks as any other organization: phishing schemes, ransomware attacks and other malware designed to steal credentials,” says Dave Sonheim, Colorado CISA cybersecurity advisor. “While technology creates many advantages, it also brings with it the risk of cybercrime, fraud and abuse.”
Sonheim recommends that all individuals and organizations practice good cyber hygiene, such as never reusing passwords and enabling multi-factor authentication whenever possible. He also notes that because the COVID-19 pandemic necessitated remote work, it made operations for many utilities more vulnerable.
“What we know is that breaches in cybersecurity can knock on a bazillion doors electronically until one opens,” explains John Thomas, professor of engineering practice at the University of Colorado. To prevent cyber threats from escalating, Thomas says it’s important to consider as many challenging scenarios as possible and work backward to build a more adaptable system.
Cyber issues predate the pandemic but because water utilities typically use electronic control systems that were developed in the 1960s, their technology tends to be older, too. Older tech combined with pandemic conditions exacerbated an already existing weakness.
“Systems are still outdated and not really designed to be operated on the internet, and with all the issues surrounding COVID-19 suddenly requiring remote administration and access — it’s kind of a perfect storm,” Thomas says.
As hacks have increased, regulators have responded with more explicit guidance. The Water Information Sharing and Analysis Center offers 15 cybersecurity fundamentals targeted for the water sector. Additionally, the Water Infrastructure Act of 2018 requires larger water utilities to conduct risk and resilience assessments of their cybersystems.
But these policies may not be enough. A recent paper on how COVID-19 might transform infrastructure resilience noted that “older best practices that focus on efficiency and stability are becoming increasingly insufficient.” That presents a new opportunity to rethink how infrastructure operates and how it can respond to unexpected situations.
Emily Bondank, a science and technology fellow with the American Association for the Advancement of Science and one of the paper’s authors, says that current guidelines are limited to what utilities can imagine as a future threat. But what about things they can’t imagine, like a global pandemic?
“COVID impacted us in an interesting way because it wasn’t recognized as being a threat to infrastructure at all,” Bondank says. “Even though people know cybersecurity is an issue for the water sector, it just hasn’t been invested in enough for them to really understand the vulnerabilities and threats around it.”
Alejandra Wilcox is a journalist currently based in northern Colorado. Her work has been broadcast on KGNU and has appeared in the Huffington Post, among other outlets.
An extended version of this story originally appeared in Fresh Water News, an initiative of Water Education Colorado.