Protecting power grids and water supplies from cyber attacks

A skull with water-drop eyes.

Cyberattacks come in all shapes and sizes, but some types are undeniably more dangerous than others. Earlier this month, a worst-case scenario almost came to pass in a sleepy town of 15,000 in Florida.

A cyber criminal managed to attack Oldsmar’s water-supply system and successfully raised the levels of sodium hydroxide—or lye—to dangerously high levels. The good news is that a plant operator reacted quickly to the attack, put a stop to it, and ensured that no one was hurt. But this event highlights the vulnerabilities of utilities and the dire consequences for not shoring up their cybersecurity.

[Internet security affects us all. Stay informed by subscribing to the ExpressVPN Blog Newsletter.]

Utilities are underprepared for cyberattacks

The importance of secure utilities is intuitive. Safe drinking water and reliable electricity are non-negotiable necessities, and even temporary lapses in these services can be disastrous. The wide-scale power loss in Texas this week following a snowstorm is a salient example of how bad things can get when utilities are compromised, regardless of the cause.

And yet, many systems remain unprotected, on a cybersecurity level. In the case of water treatment in particular, there have been serious cyberattacks going back as far as 2008, but security has lagged behind the threat. In the Oldsmar case, the plant was believed to be using Windows 7 software, which is over a decade old and no longer updated by Microsoft. 

Feeling out-gunned from an IT perspective is common among utilities managers. In 2019, the Siemens and the Ponemon Institute released a study that surveyed 1,726 utility professionals responsible for securing or overseeing cyber risk in operational technology. Just 42% rated their cyber readiness as “high” while 31% gave the same mark to their readiness to contain or respond to a breach. At the same time, 64% of respondents said sophisticated attacks were a top challenge. Those numbers paint the picture of a sector that knows it’s in trouble but doesn’t feel like it has the tools to mount a successful defense.

Drinking-water systems could be especially difficult to protect for the simple reason that there are so many of them; there are an estimated 153,000 public drinking-water systems and 16,000 publicly owned wastewater treatment systems in the U.S. alone. That doesn’t mean other utilities don’t face similar threats.

The risk of power grids getting ‘smart’

A devastating cyberattack on a Ukrainian power grid in 2015 left 230,000 people without electricity for up to six hours—and set off a steady trend of cyberattacks on power grids since. The risk only grows as more and more systems become “smart grids,” systems that enable more accurate metering and more efficient distribution of energy.

In November 2020, the Canadian Centre for Cyber Security issued a report on the threats to Canada’s energy sector that determined smart-grid technology would increase vulnerability to cyberattacks due to more internet connectivity for operational technology, an influx of diverse devices from a variety of sources, and a greater level of interconnectivity between industrial control systems creating more points of entry for an attack.

Beyond the grids, the energy infrastructure at large has shown vulnerabilities in recent years, specifically when it comes to pipelines. Most famously, an American natural gas pipeline had to be shut down for two days last year due to a spear-phishing attack. It’s a problem that’s hard to pin down because companies that own pipelines aren’t required to report attacks and are incentivized not to do so in order to keep attention away from vulnerabilities in their systems. 

Thus far cyberattacks on utilities haven’t yielded the most devastating results possible, but that doesn’t mean they never will. The Oldsmar incident came frighteningly close to putting many lives in danger. With any luck, it will serve as a wake-up call.

Read more: Why hospitals are getting more cyberattacks

My passions are politics, sports, and how data helps us understood both. I’m kind of like a discount Nate Silver who hasn’t been famously wrong about anything—yet.