In February of 2021, wastewater treatment security in the US faced new challenges as a hacker gained access to the operational technology system of a plant in Oldsmar located in Florida.
The goal of the unknown individual? To poison the water supply by boosting the amount of sodium hydroxide being injected into the system. Left undetected, this could have caused significant issues in local health with symptoms like diarrhea, nausea, and worse.
Luckily a plant employee was able to notice the change in settings and change them back before the high levels of chemicals could be pushed into the water.
The idea is a scary one - an unknown force making an attempt to poison something as vital as water itself, something we are supposed to be able to trust when it comes out the tap. And it’s not the first time this has happened either. Other incidents have included hacking attempts on wastewater treatment plants in San Francisco, and we’re likely to see more as people realize there are security exploits they can use.
Water infrastructure as we know it is facing the growing threat of cybercrime. This is not uncommon in this day and age, but the problem is what a direct impact it has on the general public and their health.
In this article we’ll be discussing the major cybercrime threats faced by the wastewater treatment industry and what needs to be done to prevent them:
The Official Situation
Federal agencies like the FBI, CISA, and EPA have stepped in to do an official analysis of the current security threats facing our water systems based on attacks that have taken place in the past three years.
Some of the incidents included in the report were:
Cyber attacks using ransomware in a treatment plant in California
Hackers remotely introducing ransomware into a treatment plant in Maine
Ransomware attacks in Nevada that affected the plant’s backup systems
Ransomware files found by staff in a plant operational system in New Jersey
Former employees leaking their credentials in a plant in Kansas
These incidents have now highlighted how important it is to protect our water infrastructure not only from physical wear and tear but also from virtual ones.
The report came forward with several recommendations for reducing the threat of these types of attacks. Some of these approaches included things like additional threat monitoring, controlling remote employees’ access with better tracking, reviewing emergency response procedures, and more.
Other suggestions were aimed at using technologies or new principles to ensure that no suspicious activity can come through. Multi-factor authentication, password security training, secure PC use training, and avoiding phishing attempts are all steps that should be taken by plants to prevent cybercrime attacks.
How Cyber Crime Takes Place In Wastewater Treatment Plants
The key with these types of attacks is that they can come at any moment, either in a spontaneous attempt or as part of a long plot that may have seen an attacker gain access months ago. These cybercriminals typically make use of malware and ransomware to attack these facilities.
Ransomware usually involves software or programs used to restrict the original user’s access to a system until they pay a ransom to retrieve their credentials. Malware is a more general term that covers a variety of dangerous viruses like Trojans, spyware, and more.
Let’s say that you live in an area where hurricanes or tornados are common. If the treatment plant has suffered damages, it would be an ideal time for a cybercriminal to take advantage of a moment of weakness in the system. Once they have access to it, they can lock it down and refuse to return access until they are paid some sum, usually a cryptocurrency or something less traceable.
On average, the majority of these attacks are not just endless attempts by a hacker to break in. Usually, it’s as simple as tricking an employee to click on a spam link in a seemingly-real email: it’s as much social engineering as it is software engineering.
Why This Is Happening At Wastewater Treatment Plants
There are several reasons why these plants are being targeted. It’s worth noting first that the attacks are not disproportionate to the attacks suffered by other industries and sectors right now, just that it’s one that has a severe impact if successful.
Wastewater treatment plants are particularly vulnerable to cyber attacks, and they don’t commonly have the funds available to do a full security overhaul of their online systems. Many of these plants also function with smaller staff teams that are fully consumed with the general day-to-day operations, which leaves little room to deal with extra security measures and training.
Ultimately what you see is one individual, already over-tasked, being assigned to monitoring cybersecurity as well. When really, it’s a dedicated role that is vital in today’s changing online environments.
Enforcing Access Control For Better Security
With all the above challenges in place, it’s still necessary to take measures for protection here. Access control of all connected and online systems is one relatively simple change to introduce for fewer security slip-ups.
Essentially what is meant by access control is that whenever a connection is requested between networks, there should be a check in place seeing who it is, what they want, and why they want it. Every person using a system at one of these facilities will need to adhere to these principles.
Access control is also ideal for better tracking. Should there be a security incident relating to an employee or staff member, there should be an electronic record of their activity that can be used to improve future processes.
Better authentication is another key step that needs to be taken at wastewater treatment plants. Stronger passwords and using secure password managers is an important step to keeping your virtual systems and controls safe. Bear in mind that these should be complex enough to be hacker-resistant and also be changed regularly for additional peace of mind.
Fighting Security Threats: The Way Forward
We know that current systems are less secure than they would have us believe and that there are many issues with how these networks are configured. Pair that with sloppy security training and it’s easy to see how an incident like Oldsmar, Florida, or worse could happen.
This means that wastewater treatment plants can no longer put all of their funds towards physical infrastructure alone - they also need to dedicate the time and funds to securing their operation technologies and qualified people to oversee them.
The reality of it is, these attacks are just the beginning. Cybercrime is a constantly-evolving game that has IT professionals working around the clock to protect us from massive attacks that can cause serious infrastructure issues.
Other Challenges Faced By Wastewater Treatment Plants
As a plant operator, you know not to panic when there is too much nitrogen in your effluent discharge. Whether the blip was caused by a new industrial user that made a significant dump into your system or a change in the weather, you have a list of adjustments you can make to stay within permit standards.
The time to worry is when the steps you’ve taken to fine-tune your system for years – or even decades – aren’t working anymore.
Being out of balance is not a healthy long-term condition. That’s when regulators with weeks or months of negative data might stop by to discuss your permit status and when local leaders start asking questions and challenging your expertise because they worry the plant’s problems are making them look bad.
Create an extra treatment step by using your entire collection system to build the health of your microbial community. Harnessing the biological reactions that are already happening upstream can give you a much better result – a cost-effective and more predictable effluent compliance program.
Your plant’s ability to break down organic material and get rid of things that are harmful to the environment, such as nitrogen and phosphorus, will keep you in compliance — or put you in the regulatory crosshairs.
In-Pipe Technology offers an innovative natural biological solution to this persistent problem. Unlike other treatment processes, In-Pipe’s product starts working the moment waste enters the collection system, turning it into an efficient bioreactor that keeps on working until the end stages of wastewater in-plant treatment.
If you’re constantly battling nutrient levels at your plant, the In-Pipe method delivers critical headway against regulatory ceilings.
In-Pipe will continually put highly efficient bacteria in your system well before the wastewater comes into the plant. The collection system will reach its full potential as a large biological reactor, which can lead to additional plant efficiencies. With In-Pipe, you’re reducing effluent loads before they even enter into the plant by making your system work harder. We help compliant plants function more efficiently and non-compliant plants to achieve their targets by reducing influent organic loading and effluent pollutant levels.
The best part? In-Pipe’s solution will likely cost less than other solutions, especially ones that require chemical and equipment additions or upgrades at the plant.
Contact us today to learn how our custom solutions can help you!