U.S. water utilities face a trio of major threats: leaking pipes, natural disasters, and digital insecurity. In response to many recent hacks of our water systems, the federal government is acting to toughen cybersecurity in the water sector. But although the destruction wrought by hackers is more attention-grabbing, larger-scale if more mundane threats also need to be triaged by government and managers of the water infrastructure.
Which is worse for water infrastructure: cyberattacks—or a more ordinary kind of hazard that is almost universal and has been decades in the making? Read on to know more:
At a recent hearing of the House Committee on Homeland Security, David Gadis, CEO of DC Water, explained that maintaining a strong cyber defense “is just as much a part of our infrastructure as maintaining our pipes and filtration systems. Robust planning for cybersecurity is no longer optional in the water sector. It is a key part of what we do every day.”
As an example of the kind of attacks that must be prevented, attendees cited the 2021 hack of the Oldsmar, Florida, water system. The bad guy entered a command to increase the concentration of lye to over 100 times the normal concentration.
Lye is used to raise the pH of water in order to minimize corrosion. High concentrations can cause difficulty breathing, internal bleeding, esophageal burns, vomiting, collapse, shock, and even death. Fortunately, the increase in lye was detected almost immediately and reversed before the water supply of Oldsmar could be appreciably affected. No one was poisoned.
Also dramatizing the problem is a more successful attack on a water treatment plant in San Francisco that had occurred a few weeks earlier. The hacker deleted programs used to treat drinking water, and the problem was not discovered until the next day. So far as is known, no one got sick as a result of the temporary interruption of water treatment.
Both incidents call attention to the fact that the nation’s largely independent and insecure water systems are vulnerable to cyber assault: “50,000 security disasters waiting to happen,” in the words of NBC News.
Among critical infrastructures, water systems may be the most vulnerable to cyberattacks — and the hardest to harden against them.
Yet water infrastructure may also be the target of highest value for hackers eager to cause trouble on as large a scale as possible. (Meanwhile, as if to increase our anxiety about the vulnerability of digital systems, we’re learning that various foreign spy agencies often seem to be able to traipse through government and private networks in the US at will.)
To improve the cybersecurity of public water systems, the Biden administration has recommended new rules that place more responsibility at the state level and that require cybersecurity audits in addition to existing sanitary surveys. But experts have criticized the plan for doing too little and also for overlooking many practical difficulties.
The Greatest Threat to Water Systems?
Although cyber threats are a great and growing problem, water infrastructure in the United States is facing a homegrown threat that is even larger — orders of magnitude larger. Indeed, it’s everywhere. And the cost of saving the nation from this threat and providing more sustainable water management may run into the trillions.
Hackers can attack a single water system: one system among tens of thousands of independent systems. But the larger threat we’re talking about is already attacking a large number of water systems at once, knocking entire municipal systems offline and turning pipe networks into Swiss cheese. Alas, the problem is so familiar that, for the most part, it’s not really setting off any alarms.
This threat is simple wear and tear. Water systems are falling apart.
Normally, the pace of wear and tear is more manageable. But for historical reasons, a great deal of the country’s water infrastructure is breaking down at the same time — now. Part of the explanation is that as U.S. pipe networks were being laid from the late 19th century through the 20th century, the quality of the pipe was diminishing. So over a century’s worth of pipe all has roughly the same expiration date. As a result, the costs involved in detecting and fixing leaks are pervasive and growing.
Concern about hackers targeting our communities is understandably more immediate and intense than concern about gradual deterioration. The rising number of cyber assaults on critical infrastructure, including water infrastructure, is definitely a crisis. But it shouldn’t steal the spotlight from the much bigger threat to water infrastructure we must grapple with: old age.