From Water Education Colorado (Alejandra Wilcox):
As the coronavirus pandemic stretches past a year, the world has become accustomed to facing problems we rarely, if ever, anticipated before. These new challenges extend beyond logistical work-from-home issues to graver concerns: For example, how do we keep our water systems safe from hackers?
In Florida, a water treatment plant ran into that very issue in February when a hacker breached its remote system. The hacker, who is still unknown, reportedly adjusted the sodium hydroxide — added to alkalize water and limit lead leaching from pipes — in the city’s water to poisonous levels. While the threat was quickly addressed, the incident highlighted the weaknesses of remote access operations.
The Florida water plant is far from the only utility that’s fallen victim to a cyberattack. Similar threats have happened in Colorado, too. For example, in 2019, hackers demanded a ransom from the Fort Collins Loveland Water District and South Fort Collins Sanitation District. (The districts were able to resolve the issue on their own).
And just last month, the Colorado Department of Public Health and Environment’s Water Quality Control Division warned of recent phishing attempts at various water utilities.
The Cybersecurity and Infrastructure Security Agency, or CISA, works to help organizations bolster their technology and counter cyberattacks. “Water utilities face the same types of cyberattacks as any other organization: phishing schemes, ransomware attacks and other malware designed to steal credentials,” said Dave Sonheim, Colorado CISA cybersecurity advisor. “While technology creates many advantages, it also brings with it the risk of cybercrime, fraud and abuse.”
COVID-19 has intensified the problem, he said, because it necessitated remote work, making operations for many utilities more vulnerable.
“What we know is that breaches in cybersecurity can knock on a bazillion doors electronically until one opens,” explained John Thomas, professor of engineering practice at the University of Colorado. To prevent cyber threats from escalating, Thomas says it’s important to consider as many challenging scenarios as possible and work backward to build a more adaptable system.
Cyber issues predate the pandemic but because water utilities typically use electronic control systems that were developed in the 1960s, their technology tends to be older, too. Older tech combined with pandemic conditions exacerbated an already existing weakness.
“Systems are still outdated and not really designed to be operated on the internet, and with all the issues surrounding COVID-19 suddenly requiring remote administration and access — it’s kind of a perfect storm,” Thomas said.
As hacks have increased, regulators have responded with more explicit guidance. The Water Information Sharing and Analysis Center offers 15 cybersecurity fundamentals targeted for the water sector. Additionally, the Water Infrastructure Act of 2018 requires larger water utilities to conduct risk and resilience assessments of their cybersystems. These kinds of threats have long been on the radar of utilities like Denver Water, which follows the U.S. Environmental Protection Agency’s best practices to stop cyberattacks before they begin.
“Denver Water has a designated cybersecurity team, along with an emergency preparedness program, that investigates the best ways to detect, defend, respond to and recover from cybersecurity attacks, including those similar to the one that occurred in Florida,” said Denver Water spokesperson Todd Hartman. Hartman said Denver Water follows guidelines set by CISA.
But these policies may not be enough. A recent paper on how COVID-19 might transform infrastructure resilience noted that “older best practices that focus on efficiency and stability are becoming increasingly insufficient.” That presents a new opportunity to rethink how infrastructure operates and how it can be designed to respond to unexpected situations.
Emily Bondank, a science and technology fellow with the American Association for the Advancement of Science and one of the paper’s authors, said current guidelines are limited to what utilities can imagine as a future threat. But what about things they can’t imagine, like a global pandemic?
“COVID impacted us in an interesting way because it wasn’t recognized as being a threat to infrastructure at all,” Bondank said. “Even though people know cybersecurity is an issue for the water sector, it just hasn’t been invested in enough for them to really understand the vulnerabilities and threats around it.”
Alejandra Wilcox is a journalist currently based in northern Colorado. Her work has been broadcast on KGNU and has appeared in the Huffington Post, among other outlets.