Cyber Threats to Critical Infrastructure: Attacks on Public Water Supply

Most of us take for granted that at any time of any day we can turn on the faucet and get a glass of water. Because safe, accessible, drinkable water is essential to our life, public water systems are part of our nation’s critical infrastructure. Over the last three years, cyber attacks have put these systems at risk.

Two hacking attempts into Tampa area water system

The number of attempted attacks has increased in recent years, including February 2021 in the Tampa, Florida area, just two days before the Super Bowl.

A hacker gained access to the Oldsmar, Florida water system and was able to briefly increase the amount of sodium hydroxide (lye) in the water treatment system before an employee noticed the issue and corrected it. Oldsmar is about 16 miles from Tampa.

As reported by the BBC, an attempt to access the system was first made in the morning, but the plant operator thought it was his supervisor. A second attempt in the afternoon resulted in the hacker gaining the access required to adjust the lye levels.

The level was reduced as soon as the issue was identified and the public was never in danger – thanks to the staff who were closely monitoring their systems. As of April 2, the hacker has not yet been identified.

There are obvious concerns over the fact that this attack was able to happen successfully – even if it was immediately reversed.

Wired’s Brian Barrett reported that the Florida attack “marks the third publicly disclosed attack on a water system that posed a direct risk to the health of a utility's customers.” Prior attacks occurred in 2016 at an unnamed utility and in 2019 in the Post Rock Rural Water District in Kansas.

Fired employee retaliates by tampering with Kansas water system

One of the biggest concerns with threats to water systems is that they are often connected to insiders – including former staff.

In the Post Rock incident, a former employee, Wyatt Travnichek, logged into the facility’s system two months after his employment ended and tampered with cleaning and disinfecting processes for drinking water. Travnichek was recently indicted on federal charges for tampering with a public water system.

Vulnerabilities expose need for cybersecurity funding and expertise

Municipalities responsible for public water systems are often small and have limited – if any – cybersecurity plans in place to prevent unauthorized access by former employees. These same municipalities also have limited resources and funding to improve their cybersecurity protections.

Brandon Hoffman, chief information security officer for the threat intelligence firm Intel 471, shared with Wired that he, “expects water supply infrastructure to be an increasingly popular target, especially as incidents like Post Rock and Oldsmar highlight both the vulnerability of those plants and the amount of harm they can cause.”

Protecting our critical infrastructure is a top priority, and experts in this field are in high demand. Capitol Tech offers bachelor’s, master’s and doctorate degrees in security, intelligence, and critical infrastructure. Many courses are available both on campus and online. To learn more about Capitol Tech’s degree programs, contact admissions@captechu.edu.