With most town water treatment plants serving less than 50,000 people, they’re facing a problem: budgetary constraints preventing administrators from investing in their digital defenses, making them prime targets for cybercriminals.
“It’s definitely becoming a trend—possibly because ransomware has become a thing now where people can make money. Water plants do matter to the general public,” said Loney Crist, vice president of cyber security software development at IPKeys Power Partners, a New Jersey-based cybersecurity firm. “When you get a ransomware attack, it can be tens of thousands of dollars or hundreds of thousands of dollars.”
Some choose to pay the ransom; others get another system up and running: “It comes down to how much they think it’s going to cost to get their system going,” he said. “The majority of water plants are going to have some sort of remote access. And that tends to be the biggest vulnerability.”
Smaller systems, especially, don’t have enough revenue to pay for a plant’s physical and cybersecurity upgrades. And inside a system’s perimeter defenses, “Once you get on a network, they’re fairly flat. They’re fairly small networks,” Crist said. “They haven’t seen a need to segment them.”
Beyond the monetary concern, there’s a greater fear of the physical harm that could come to constituents if a cybercriminal were able to gain unimpeded access to a water treatment plant’s system digitally.
Last year, for example, a hacker broke into the Oldsmar, Fla. community water treatment plant and remotely turned up the levels of sodium hydroxide. At high levels, sodium hydroxide can seriously damage the human tissue it touches. Operators at the plant intervened manually before anything happened, preventing catastrophe. But the incident revealed an important vulnerability in systems across the United States.
It’s one that many managers are moving to address.
To read the complete article, visit American City & County.