By now, many of you have heard of the cyber attack on the water treatment facility in the City of Oldsmar, FL on February 5, 2021. You can view the city’s press conference at https://www.youtube.com/watch?v=zx1wTh8G97Q.
The event consisted of unauthorized remote access to the utility’s supervisory control and data acquisition (SCADA) system where an intruder altered the amount of sodium hydroxide, raising the dosage by a factor of 100. This could have led to thousands of people suffering from sodium hydroxide poisoning, which includes: lung inflammation, throat swelling, burning of the esophagus and stomach, severe abdominal pain, vision loss, and low blood pressure, according to the University of Florida Health System. Fortunately, the water treatment operator on duty noticed the intrusion and corrected the issue before the change was able to take place. According to a release from the FBI:
“The cyber actors likely accessed the system by exploiting cybersecurity weaknesses including poor password security, and an outdated Windows 7 operating system to compromise software used to remotely manage water treatment. The actor also likely used the desktop sharing software TeamViewer to gain unauthorized access to the system.”
What would have happened if the operator was not on duty or did not notice the change? Would downstream monitoring and other alarms have detected this change before water quality and public health were impacted?
Has your system evaluated cybersecurity? Would you be able to prevent and/or respond to this type of attack?
Cybersecurity is one component of the risk and resiliency assessment (RRA) and emergency response planning (ERP) processes identified in America’s Water Infrastructure Act of 2018 (AWIA). The goal of the RRA and ERP process is to assess potential risks and then develop plans to respond. As shown in the recent case at the City of Oldsmar, water systems are vulnerable to cyber-attack. Awareness and planning are needed to protect against these vulnerabilities. RCAP, through its regional partners, has assisted a number of water and wastewater utilities in developing the EPA-compliant RRAs and ERPs required under AWIA.
One of the key components in addressing risk and resilience is training to raise awareness and identify potential actions to be taken to protect water systems. Under an EPA cooperative agreement, RCAP and its partner, American Water Works Association (AWWA), developed the AWIA Small Systems Certification Program. This program consists of 5 eLearning modules. All are available free of charge to small water utilities at https://www.awwa.org/Professional-Development/Small-Systems#10954561-awia-small-systems-certificate-program.
Course 1: Introduction to Resiliency and America’s Water Infrastructure Act of 2018 – EL272 – As the introductory course in the Small Systems Resiliency Certificate Program, this course introduces the requirements for water utilities established by America’s Water Infrastructure Act of 2018 (AWIA) and defines how the certificate program can help small systems to meet those requirements.
Course 2: Operational Measures for Resiliency – EL273 – The second course in the Small Systems Resiliency Certificate Program, the course content covers each aspect of security, field assessments of critical assets, and operational resiliency.
Course 3: How to Develop a Risk and Resilience Assessment – EL274 – As the third course in the Small Systems Resiliency Certificate Program, the course guides small systems through developing a Risk and Resiliency Assessment (RRA) with an RCAP/AWWA worksheet designed for small utilities.
Course 4: How to Develop a Small System Emergency Response Plan – EL275 – As the fourth course in the Small Systems Resiliency Certificate Program, the course guides small systems through developing an Emergency Response Plan (ERP) with the EPA ERP template.
Course 5: Cybersecurity for Water Systems – EL276 – The fifth course in the Small Systems Resiliency Certificate program explains the importance of cybersecurity best practices for critical infrastructure and demonstrates how AWWA’s water sector cybersecurity risk management guidance and tool can help a utility identify gaps in current cybersecurity practices.
The cybersecurity module is currently geared towards water systems of all sizes but is being modified by RCAP and AWWA to better address the needs of small communities. A draft of the revised module should be available for release by the end of March.
While the eLearning modules provide the essential knowledge for addressing AWIA requirements and can be used by some facilities in developing plans, additional training and technical assistance is often needed to help small communities conduct these assessments and develop complimentary ERPs. RCAP can provide this training and technical assistance. When needed, RCAP and its partners can also provide more in-depth cybersecurity training and analysis. The process consists of assessing the current use of technology; evaluating the controls and practices to identify, protect, and detect threats to their cyber systems; and where to go for more support.
For more information, contact Jeff Oxenford, RCAP Director of Training and Technical Services at [email protected] or (720) 353-4242.
Editor’s note: McElmurry is a contributing author for Drop of Knowledge and leader of a collaborative research project exploring the intersection of drinking water and public health. RCAP is working with the researchers on this project to provide the rural perspective. RCAP has provided feedback on the researchers’ survey instrument.
Water systems and public health systems grew up together and are interdependent in complex, and not always clearly, visible ways. A research program, Water, Health Infrastructure Resilience and Learning (WHIRL) funded by the National Science Foundation is exploring these interdependencies and will soon be distributing a survey to both water and public health professionals.
In 1914, the United States Public Health Service (PHS) adopted the first drinking water guidelines targeting microbial (coliform bacteria) and chemical (arsenic) contaminants (US Treasury, 1914). This led to the advent of centralized municipal drinking water systems that are credited with reducing nearly half of the total mortality, and three-quarters of the infant mortality, in major U.S. cities during the first half of the twentieth century (Cutler & Miller, 2005). In the 100+ years since the development of drinking water guidelines, these interdependent systems have developed through separate federal regulatory agencies (i.e., Environmental Protection Agency, Department of Health and Human Services), management frameworks, and even different professional and educational disciplines. As a result, many drinking water and public health systems are now highly disconnected (Levitt & March, 1988).
Disconnects between water and health systems are confounded by practices put in place after September 11, 2001. Many post 9/11 practices were designed to isolate water systems and restrict the flow of information, with the goal of protecting systems and facilities from potential terrorist attacks. However, these restrictions had the unintended consequence of making it more difficult to share information with key stakeholders, such as public health officials and the public. This may have contributed to a public that is largely not engaged, unaware and uninformed about how drinking water systems work and the importance of investing in their upkeep (Bipartisan Policy Center, 2017).
Both highly visible / public and “under the radar” events emphasize the growing need for a stronger connection between public health and drinking water. Day-to-day events (e.g., faulty, aging infrastructure that affects water quality) and disruptive weather (e.g., hurricanes, floods and droughts) that can lead to infectious disease outbreaks or human-induced disasters (e.g., chemical spills, contamination) are failures that can shut down drinking water services and have substantial adverse impacts on public health. Risks, hazards, and disruptions, even minor events that often go unnoticed, may illuminate interdependencies between drinking water and public health systems. If these interdependencies are critical, identifying these connections and strengthening them may enhance resilience.This is particularly true during periods immediately following events, when there are opportunities to learn, change and enhance system resilience (Sitkin, 1992; Turner 1976; May, 1992; Birkland, 2004).
In 2018, the National Science Foundation (NSF) funded a 4-year study to examine how drinking water and public health systems interact, with a focus on reducing risks of future disasters and enhancing the resilience of these two critical infrastructure systems. The project, entitled Water and Health Infrastructure Resilience and Learning (WHIRL), also aims to understand how these systems learn about and adapt to changes and how the public engages with these systems. The research is a collaboration between academics from Wayne State University, the University of Michigan, and Indiana University and the American Water Works Association, the Water Research Foundation, the Association of State Drinking Water Administrators, the Rural Community Assistance Partnership (RCAP), and the National Association of County and City Health Officials.
In collaboration with these partners, the WHIRL team has developed a survey questionnaire that will be distributed to water and health professionals over the coming weeks to collect information about how water systems and public health systems interact, both formally and informally. The survey includes questions about information exchange, communication, routine and non-routine interactions and the ways these groups learn from crises and disasters among other issues. The goal is to generate understanding about how drinking water-related hazards and disruptions unfold in ways that affect both drinking water and public health systems that can help in the construction of tools to detect undesirable events. In addition, the project will create new capacity to learn from the disruptions that will inevitably occur.
The WHIRL survey is available here. Broad participation from the water community is necessary to insure representative and reliable results. Summaries of results from this survey will be reported at conferences and in future editions of the Drop of Knowledge.
Bipartisan Policy Center (2017). Defeating Terrorists, Not Terrorism: Assessing U.S. Counterterrorism Policy from 9/11 to ISIS. Task force on terrorism and Ideology. Washington, D.C., Bipartisan Policy Center.
Birkland, T. A. (2004). Learning and policy improvement after disaster: The case of aviation security. American Behavioral Scientist, 48(3), 341-364.
Cutler, D., & Miller, G. (2005). The role of public health improvements in health advances: The twentieth-century United States. Demography, 42(1), 1-22. doi: 10.1353/dem.2005.0002
Levitt, B., & March, J. G. (1988). Organizational learning. Annual Review of Sociology, 14(1), 319-338.
Sitkin, S. B. (1992). Learning through failure: The strategy of small losses. Research in Organizational Behavior, 14, 231-266.
Turner, B. A. (1976). The organizational and inter-organizational development of disasters. Administrative Science Quarterly, 21(3), 378-397.
U.S. Treasury Department. (1914).
The bacteriological standard for drinking water. Public Health Rep. 29:2959-2966.