Water systems in Maine, California and Nevada targeted this year; Kansas, New Jersey and Florida last year
by Mark Coggin
Most Americans are aware of how hackers can target their personal information with emails from people posing as Nigerian princes. But many would be shocked to hear their water supply is being hacked by similar, more sophisticated criminals.
At least three separate drinking water treatment facilities were recently targeted by ransomware attacks. According to a joint advisory from the Cybersecurity and Infrastructure Security Agency, the FBI, the NSA, and the EPA, treatment centers located in Maine, California and Nevada, each had lost control of their remote monitoring systems. They were seized by criminals who wanted ransom money in return for the release of the system. The public was not notified of these attacks until mid-October, despite the attacks taking place from March through August.
Similar attacks were leveled in Kansas and New Jersey late last year. Florida was also targeted, though the hackers did not just attack the monitoring systems. Alarmingly, the hackers increased the level of sodium hydroxide (a caustic substance also known as lye) in the water by 11,000 percent – enough to seriously harm anyone who consumed the water. Fortunately, the hack was detected by an employee before anyone was harmed. According to the advisory, the ransomware criminals likely targeted the “unsupported or outdated operating systems and software” used by the water treatment facility.
America’s tap water infrastructure is failing at all levels. More than 900 boil water advisories have been issued so far this year. Families are often warned about these potentially dangerous outages much too late. In Englewood, Colorado, families consumed water contaminated with E. coli for three days before they were alerted – in much the same way that Americans are just now being told about the cybersecurity attacks that happened as far back as March. Outdated pipes leave families susceptible to lead poisoning and not just in Flint or Newark.
And it’s not just the water supply – all types of utilities are under attack. According to one estimate, ransomware attacks have increased 435% in the last year targeting 560 health care facilities, 1,681 schools and colleges, and more than 1,300 companies. Ransomware hackers triggered the shutdown of Colonial Pipelines leading to gasoline shortages throughout the East Coast. The U.S. Treasury’s Financial Crimes Network, or FinCEN, estimated that at least $5.2 billion worth of bitcoin has been paid to these hackers.
The federal government has set aside $2 billion to improve cybersecurity for power grids and water treatment centers in the $1 trillion infrastructure package pending before Congress. That infrastructure bill, which also includes funding to replace toxic lead pipes, has been held up in a partisan dispute for months. It is not clear when – or if – the legislation will become law. And while Congress plays games with the infrastructure bill, hackers are certainly working overtime to exploit systems while they still have the opportunity.
With the United States already struggling with supply chain shortage issues, these attacks could leave families without heat, electricity or water.
For now, families would be wise to ensure their emergency supplies are fully stocked in case an unforeseen outage occurs locally. FEMA recommends storing a three-day supply of food, one gallon of water, per person, per day, with enough to last several days along with batteries, flashlights, and any prescription medications.
These preparations will help in short-term disasters. Congress needs to stop stalling and start to address this problem and the longer-term consequences.
Will Coggin is the managing director of the Center for Accountability in Science.