Kevin Struck • UW-Madison Extension Sheboygan County

It was national news when a computer interface at a water treatment plant in Oldsmar, Florida was briefly taken over by a hacker earlier this year. The cyberattacker substantially raised the setting for sodium hydroxide, commonly known as lye, which is added to the water supply to minimize corrosion. Contact with sodium hydroxide at excessive levels can kill skin and cause hair loss, according to the National Center for Biotechnology Information. Ingestion can be fatal.

The FBI and the Pinellas County Sheriff’s Office, which are jointly investigating, uncovered multiple shortcomings in the plant’s network security, which was set up to allow authorized users to access it remotely for troubleshooting. Lapses included the lack of an internet firewall, the use of shared passwords and outdated software, and the absence of two-factor verification. Experts fear such lapses may be typical among our nation’s 151,000 public water systems.   

The reality is, most public water systems must function with small budgets, few employees, and aging infrastructure. To address this situation, many have turned to software systems and digital monitors to increase efficiency and cut costs. There are instances, however, when this strategy is implemented without sufficient safeguards and employee training.

The exact number of attacks on water utilities is unknown. Some attacks go undetected, while others are unreported. No federal law requires disclosure to regulators or law enforcement.

About two months ago, UW-Madison Division of Extension Sheboygan County sent a 12-question survey to the 11 water utilities in the area to ask how they are addressing this important issue. Recipients included the Plymouth Water Utility, Adell Municipal Water Utility, Waldo Waterworks, Oostburg Municipal Water Department, Cedar Grove Municipal Water Utility, Cascade Waterworks, Random Lake Municipal Water Utility, Elkhart Lake Water Department, Glenbeulah Public Utilities, Town of Sheboygan Water Utility, and City of Sheboygan Water Utility (which also serves Sheboygan Falls and Kohler).

Seven of the 11 surveys have been returned. The survey was set up to ensure respondents would be anonymous, so there is no way to know which of the utilities returned or did not return the survey. Although it’s possible to conclude that the four unreturned surveys are related to poor security measures the four utilities were reluctant to confirm, there is no evidence to support such a conclusion. It is also possible that the four unreturned surveys were misplaced, forgotten about, or never received.

Since some water utility plants in the U.S. are still controlled with analog/manual systems, the first question asked whether the utility uses a computerized control system. (If a utility plant is not using a computerized system, there is little or no opportunity for a cyberattack, since there is no digital operating network to disrupt.) The survey revealed that three of the seven utilities do not use a computerized control system; consequently, nine of the 11 questions were not applicable to the three responding utilities without computerized control systems.

Questions 2 through 9 focused on specific security practices that have been recommended for safeguarding computerized networks from cyberattacks.

Out of a total of 12 responses from four utilities to three password related questions, 75 percent of the responses indicated the recommended best practices were “Always” followed and 25 percent indicated they were “Usually” followed. None of the respondents indicated “Occasionally” or “Never.”

There were a total of 7 responses to a pair of software related questions, with 71 percent of the responses indicating the recommended best practices were “Always” followed and 29 percent indicating “Usually.”

All four of the utilities using computerized control systems responded that they “Always” have an internet firewall activated.

Two-factor verification, which is a somewhat newer best practice, was used sporadically by the four utilities for granting access to critical systems.

All seven of the utilities indicated they have adequate backup systems and alarms.

Finally, two of the utilities have required some or all of their employees to participate in training related to preventing potential cyberattacks. Although the other five utilities have not had any staff participate in such training, it should be pointed out that three of the utilities have little need for such training, since they do not use computerized control systems. 

Overall, the survey would seem to indicate that our local water utilities are not as vulnerable to serious cyberattacks as plants in other parts of the nation may be. This is good news for local water utility customers. Nevertheless, the tactics of cyberattackers continue to evolve, always seeking new ways to infiltrate networks and systems. Our utilities must continue to prepare for the challenges that are likely to arise in the future.