The Pinellas County Sheriff’s Department in Florida reports that on Feb. 5 a hacker accessed the water treatment system in Oldsmar, Fla. AWWA Chief Executive Officer David LaFrance issued the below statement regarding the cyberattack.
The Feb. 5 hacking incident on a Florida water utility is a jarring reminder that the threat of cyberattacks on critical water infrastructure is both real and serious. We live in a world where cyber intrusions are increasingly common in our personal and professional lives. Given the essential nature of water service, it’s well known that water infrastructure — and water treatment plants of all sizes — are potential targets of people with bad intentions.
While the Florida incident is unsettling, there are some takeaways that should bring us confidence. First, while the hacker was able to gain access, it appears a vigilant water operator thwarted any potential harm. There’s no clearer demonstration that water professionals are essential workers, and the work they do each day protects us all.
Second, the incident makes clear to all water utilities and governing boards that they must take action to prevent or discourage similar attacks. The water sector has been actively addressing cybersecurity issues for many years. In fact, the 2018 America’s Water Infrastructure Act requires utilities to complete a risk and resiliency assessment that must include cyber threats to enterprise systems and process control systems. This incident should underscore the urgency of that work.
Third, we are not powerless against cyber threats. There are resources available to help utilities of all sizes. AWWA’s Water Sector Cybersecurity Risk Management Guidance and the accompanying assessment tool are free at www.awwa.org/cybersecurity, as is the Cybersecurity Risk & Responsibility in the Water Sector report and many other helpful eLearning opportunities and documents.
Federal agencies define cyberattacks as the top threat facing business and critical infrastructure. Friday’s incident demonstrates why. Let this incident be a constant reminder of the importance of round-the-clock cybersecurity vigilance in the days and decades ahead.