In February of 2021, a Water Treatment Plant in Florida made international news when a hacker tried to pump a deadly amount of sodium hydroxide into the plant's water supply. According to BBC when reporting on the story,
"Sodium hydroxide is the chief ingredient in liquid drain cleaners. It is very corrosive and can cause irritation to the skin and eyes, along with temporary loss of hair. Swallowing it can cause damage to the mouth, throat and stomach and induce vomiting, nausea and diarrhoea".
Thankfully, for this Florida community, an operator at the plant stopped the hacker's attempt to poison the water supply. As a nation that has access to advanced water infrastructure systems, we often view our facilities as being infallible. Most of the time, this assumption is correct, but it does not mean that water infrastructure can not be exposed to technology glitches and hackers.
On October 23, 2018, America's Water Infrastructure Act (AWIA) was signed into law. As stated by the EPA,
"AWIA Section 2013 requires community (drinking) water systems serving more than 3,300 people to develop or update risk assessments and emergency response plans (ERPs). The law specifies the components that the risk assessments and ERPs must address, and establishes deadlines by which water systems must certify to EPA completion of the risk assessment and ERP.".
So where does a Cybersecurity Assessment fit into an ERP or risk assessment plan? When considering all risks that can be deadly to a water system, facilities should consider the following cybersecurity breaches:
Hackers
E-Mail infections
USB Drives (intentional and unintentional)
Simple Passwords
Internet Connections
Laptop Connections
Missing or outdated software patches
Smaller systems, specifically, are more vulnerable since sophisticated safeguards and training are often lacking due to cost. With this being said, the cost of recovering from a cyber attack is unprecedented. In other words, it's better to be safe than sorry and to consider the pros and cons of monitoring cybersecurity risks.
If you think that your plant could be a potential target, or have questions about your plant's cybersecurity, Keystone Engineering Group can assist with cybersecurity threat identification and mitigation and is adept at small system evaluation. In case of an emergency, Keystone developed an Emergency Response number to get you in touch with the appropriate member of our Automation Team 1 (877) 579-5999.