By Jake Holland and Bobby Magill, Bloomberg Law
A cyberattack on a Florida water treatment plant underscores the need for strong security protections at the municipal level, attorneys and industry professionals say.
A hacker gained access to an Oldsmar, Fla. city computer on Feb. 5 and changed the level of sodium hydroxide, also known as lye, local authorities said. It isn’t yet known whether the breach originated from the U.S. or from outside the country. The Federal Bureau of Investigation is working with local authorities.
There’s been a “marked increase” in the last couple of years in cyber incidents against state and local government entities, said David Springer, a cybersecurity attorney at Bracewell LLP in Austin, Texas.
“A number of people have been calling this incident a wake-up call, but there have been reported attacks like this for 20 years now,” Springer said. “I’m glad it’s bringing attention to the security of industrial and municipal control systems.”
Water Systems Vulnerable
Vulnerability to cyberattacks varies across the 51,000 community water systems nationwide, said J. Alan Roberson, executive director of the Association of State Drinking Water Administrators.
“This needs to be elevated within the water sector,” because systems are too critical to be allowed to go down due to a cyberattack, he said.
The country’s largest water systems are the best prepared for cyberattacks because they’ve heavily invested in addressing security threats, Roberson noted.
One of the largest is American Water Works Company Inc., which said Tuesday that it acknowledges the severity of cyber threats and is working with state and federal agencies to prepare for them, spokesman Joseph Szafran said.
“American Water has a dedicated team of certified professionals who help maintain the cybersecurity of our informational and operational technology systems; safeguard the physical security of our staff, facilities and assets; and provide emergency response and business continuity activities,” Szafran said in an email.
Critical Infrastructure Risk
Guarding people’s privacy and protecting their personal information remains a top priority, but cyber hits to critical infrastructure should serve as reminders that bad actors can inflict real-world physical harm, said Paul Luehr, co-leader of Faegre Drinker Biddle & Reath LLP’s privacy and cybersecurity team.
“The Florida event shows cybersecurity isn’t always about personal data—it’s also about personal safety,” he said.
That a plant worker was able to quickly lower the chemical levels back to normal and prevent public harm reinforces how administrative, physical, and technical controls—including employee training—are vital to keeping systems secure, he said.
Critical infrastructure such as dams, power plants, and hospitals are attractive targets for bad actors and have increasingly been targeted in ransomware hits, said Greg Szewczyk, a privacy and cybersecurity partner at Ballard Spahr LLP in Denver.
It’s common for those types of entities to be targeted by nation-state actors, he said, but regardless of attacker type, businesses and municipal entities alike need to think about operational and organizational responsibilities, he said.
“They need to consider data security beyond the mere confines of guarding personal information,” Szewczyk said. “They should be regularly assessing cyber threats, identifying individual vulnerabilities, and adopting proper security measures.”
If you liked this post you’ll love our daily newsletter, EnviroPolitics. It’s packed with the latest news, commentary and legislative updates from NJ, PA, NY, Delaware…and beyond. Try it free for an entire month.
