How safe is your drinking water?

When it comes to cybersecurity of our essential infrastructure in the United States, things may not be as bad as you think. The truth is that they are far worse.

On Aug. 15, a water department plant in the UK that provides water to 200,000 consumers was the victim of a ransomware cyberattack in which the hackers indicated that they also had obtained access to the computer software that controls the chemicals in the water. In its ransom demand, the hackers said “if you are shocked it is good” and in that they are correct.  

And while we are shocked by the cyberattack, we shouldn’t be. It is only the latest in a series of attacks that have already been made against water plants in the United States and around the world. Just last year the water treatment plant in Oldsmar, Fla., was hacked allowing a  temporary increase of the level of sodium hydroxide in the water from 100 parts per million to 11,100 parts per million. While sodium hydroxide helps manage the PH level of potable water, with higher levels it becomes poisonous.

Compounding the problem is the sheer number of utilities supplying water to Americans, estimated to be 70,000, some of them quite small and vulnerable to cyberattacks due to a lack of funding and expertise.

Congress’ Cyberspace Solarium Commission issued a report in 2020 concluding that “water utilities remain largely ill-prepared to defend their networks from cyber-enabled disruption.”

At the heart of the problem, operational technology systems connected to the Internet are always going to be vulnerable to attacks by sophisticated cybercriminals and presently there are no cybersecurity requirements for Water Departments. Maximum security would best be achieved if such operational technology systems were not connected to the Internet and remotely accessible. However, particularly with budget cuts to cybersecurity budgets and more remote access by workers since the start of the pandemic, the problems have gotten worse. The federal government requires every automobile to have a seat belt, but the water you drink is unregulated in regard to cybersecurity.

The Biden administration has authorized the Environmental Protection Agency, as a part of its regular sanitary reviews of water systems, to extend those reviews to include evaluations of cybersecurity for water facilities. But the lack of regulations that drags on requires more urgency. The new reviews will be structured more as a collaboration between water facilities and the federal government, rather than as a mandate. This would be fine if both were willing participants, but thus far, the water facilities have resisted changes and requirements to protect our systems. As such, a hand-holding approach needs to switch to strong-arming. 

In addition, the recently passed bipartisan infrastructure law required the EPA to send Congress a new technical cybersecurity support plan in which it describes what its plans are for cyber support to vital water systems and a list of the systems which are anticipated to be receiving that support. The plan is required by Congress to describe the methodology for identifying key water systems and provide specific timelines for supplying assistance as well as list the types of assistance that will be provided.

But all of these efforts will take time. They also will take money and presently it has been estimated that the EPA’s total spending on cybersecurity at its Office of Water is only $7 million, which, pardon the pun, is just a drop in the bucket. For Americans who appreciate the ability to fill up a cool glass of water without giving it a second thought, it’s obvious this issue demands more immediate action that is long overdue.

Steve Weisman is a Senior Lecturer in Law, Taxation and Financial Planning at Bentley University in Waltham, Mass. He is also the author and creator of www.scamicide.com.