City of Batesville Public Works Director David Karr says a recent incident involving a city’s water system in Florida is a reminder that Water Dept. employees must remain diligent in their duties of sampling and monitoring the volume of water that serves area residents.

The Feb. 5 cyberattack on a water treatment plant in Oldsmar, Fl. – a community of about 15,000 people in the Tampa Bay area – was one that experts said raised new red flags about the vulnerability of critical infrastructure in the U.S.

The attack on Oldsmar’s water supply was detected within three to five minutes, said an official, and the potentially harmful act was quickly deflected, but it was still the furthest a hack that threatened U.S. critical infrastructure has gotten to date.

“It’s probably not the first time it’s happened in the United States, it’s happened a bunch of times,” said Karr, who’s been employed with the City of Batesville for over 27 years, and supervises all aspects of the local treatment plant facility’s operations.

In the case of Oldsmar, the small increments of sodium hydroxide – or lye – which is used to control the acidity of the city’s water, was multiplied by over 100 times by the hacker.

A plant operator witnessed a phantom cursor on his computer screen causing the level to rise and caught it immediately, although it still qualifies it as the most successful cyberattack of its kind.

To ease concerns about such an attack occurring in our neck of the woods, Karr said that since local drinking water is so clean it doesn’t require these small amounts of lye to adjust pH level.  The local water is solely treated with chlorine fluoride after it comes from the ground.

“You know hackers – they find something, they just try to hack into it,” said Karr.  With regard to cybersecurity of local water operations, he said their supervisory control and data acquisition (SCADA) at the wastewater plant runs through a company out of Minnesota who always has updated firewall protections.

The term SCADA was coined in the 1970s, and is a computer system for gathering, analyzing, monitoring, gathering and processing real time data, and it controls industrial processes locally or at remote locations.

Karr said that the ability to turn the water on or off is about the extent of any major function that can be controlled locally.  “There’s not a lot of things that somebody could hack into,” he said.  “The chlorinators and those kind of things are not attached to the SCADA.”   

It’s comforting to know the unlikeliness of someone messing with local drinking water to make it  more toxic, such as it happened in Oldsmar.  Although it’s still concerning that a hacker with this skill set would also have the ability to shut off a well just as easily – which could also potentially cause mayhem.

Community awareness of these concerns are not without good cause.  The most vulnerable to cyberattacks remain smaller utilities, and smaller water treatment plants, in small towns and cities.  When hackers get inside the control systems and dismantle locks, there is the possibility of disaster.

Data shows that there’ve been more attacks on American infrastructure in the second half of last year than there were in the previous two years combined, and the threat is very noticeably growing more frequent.

Although the U.S. is still the world’s top cyber superpower, over the past decade our lead in this area has been dwindling, and we remain one of the most targeted countries in the world by cyber hackers.