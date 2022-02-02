Just about a year ago a dedicated, attentive operator at the Oldsmar, Florida, water treatment plant noticed an anomaly when their cursor began moving about their computer screen. They weren’t handling the mouse or keys. I have been the victim of a burglary, a real-world incident as compared to some digital intrusion, and if a comparison is warranted it might start with the common feelings of fear, violation, and powerlessness.
In Pinellas County where Oldsmar sits, those sentiments only scratched the surface for its public. In February 2021 someone had circumvented the security meant to protect that most critical part of the infrastructure, potable water preparation. The hacker, or group of them, was able to take over the facility’s systems remotely. Essentially, it was a ploy that leveraged the intentional ability to remotely operate the computers. This is a common feature, and when it is used in the bona fide manner it might provide an approved, remote technologist access to help the local staff overcome some problem. The help desk person, as an example, who’s 1,200 miles away and is contracted to solve the water treatment facility’s tech issues can take the helm and move the mouse, input keyboard commands, and ultimately cure the issue.
That same doorway, when compromised, gives such wide berth of control away to anyone entering it. In Oldsmar’s case, the criminal’s remote ability took them to the facility’s set of operations that controlled additives. We’re all aware that fluoride is a common water plant additive in the U.S. You may be unaware that many of these 50,000+ plants also inject sodium hydroxide (NaOH) when needed. The more familiar word for sodium hydroxide is lye. If you’re a Germanic pretzel maker, you realize there’s a limit to using the caustic soda called lye. Just enough turns out the beautiful, dark brown crust we all associate with a perfect soft pretzel.
Like any other corrosive acid, sodium hydroxide is dangerous to use. I’ve made said pretzels with food-grade lye and have had to don protective gloves so as not to get a chemical burn. Too much NaOH also might cause a rise in temperature eventually igniting flammables. Industry uses sodium hydroxide as a glass etching solution. In hindsight, why I ever tried to go full genuine with my homemade pretzels seems less and less rational. Another sign that NaOH is nothing to fumble with is that it’s the active ingredient in many drain cleaners. At the treatment plant, the risk of too greatly dosing the public water system with lye is evident ten times over. The plant, like so many others, nonetheless requires it as an additive to maintain pH level. Used judiciously for this, lye is safe and beneficial to our drinking water.
Fortunately, the Pinellas water system hack did not result in catastrophe. There were safety nets and backup systems in place. After just a few minutes of the takeover the operations returned to normal. Local police, the FBI, Secret Service, and private cybersecurity experts combined investigatory forces but we may never know the true culprit. Some claim that the Russians were behind it, though from my armchair perspective the seemingly sloppy manner that let plant operators see the rogue mouse cursor points to someone less sophisticated.
Water treatment plants are unique among utilities and our critical infrastructure in many ways. Foremost, we human beings reply on drinking water for sustenance. We can go without power. No fun in the winter, or summer, or ever. We can survive without internet service. Bridges are a tough one to refute, but I’d still claim water supply to be higher on the list. Another distinction surrounds dough-re-mi. There are considerable lobbying functions ongoing in Washington from the electricity industry, oil and gas of course, the cable/satellite/TV suppliers, and on. Not so much with these typically cash-strapped providers of life. It’s ironic in that sense; or, cynics might call it American, or capitalistic.
Whether water, nuclear power, or traffic light controls, the segment of technology known as industrial control systems is continually under attack. Within minutes of basic online searching one can find all sorts of critical infrastructure components, both here and abroad, having been targeted in recent years. The modernization of these systems, some of which harken back millennia in their tenure of serving the public good, have introduced all the same vulnerabilities that taking your shopping activities and communications online have done on that much smaller scale. There is very little difference, digitally, technologically, in a criminal lifting your debit card information from the internet and then applying that same criminal mindset, and many of the same tools, toward taking over our water supply. It’s not melodramatic, here, it’s substantiated risk and fear.
In April of 2021 the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, with support of the current administration, embarked on an incrementally focused cyber-defense initiative covering much of the critical infrastructure. The electric grid and gas line systems were the first beneficiaries. Hundreds of utilities and pipeline branches, all of which took advantage of the security initiative of their own volition, were analyzed through a partnership between CISA and U.S. Department of Energy. Then their defenses were hardened, as needed.
Now, another increment of CISA’s plan is afoot. The Industrial Control Systems Cybersecurity Initiative – Water and Wastewater Sector Action Plan (ICSCIWWSAP … just had to try and see whether there was some catchy acronym or initialism for the lengthy label) has 100 days to improve the water system at least to the extent the DOE iteration did for electric and natural gas. With water’s criticality, the government will try to decrease detection and response times, and improve information sharing among all cybersecurity factions. Until these sensitive targets are defended, there’s no watering down [ugh] the risk.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at edzugeresq@gmail.com.
