In March, the town of Oldsmar Florida announced that it’s water treatment plant was commandeered by a hacker who set the plant to add toxic levels of lye to the water system. A plant operator noticed the mouse pointer interacting with the plant software and reversed the lye levels down to normal dosages. The plant operators assured the public that other redundant controls would have prevented the lye from being dumped into the town’s water.
A security researcher found in independent analysis that the same plant on the same day was infected with a two-year-old botnet indicating that the plant’s network environment was not well secured.
Water plants in California, Wisconsin, and other states have witnesses similar probing of their control systems by hackers.
This is what the public generally knows:
- Hackers are exploring the levels of harm they can do to municipal systems, such as water plants, and discovering their limits by changing settings.
- Apparently hackers are able to do relatively unsophisticated things in municipal environments that can lead to mass illness, or perhaps death.
This is what you should not be focused on:
- Do not think of this as a water-only problem. That would be horrifying enough. But all underfunded public systems that we rely on for health and safety are equally at risk.
This is what you should be focused on:
- You must, at long last, use your risk analysis to think – creatively – about the harms you may cause others. The information security world was tremendously boosted while trying to protect personal, health, and financial information, but we are long past securing that data alone.
- Add to your risk analysis things that attackers may do to information and your systems that are not associated with regulatory rules alone. Think like the worst criminal who can use your processing power, storage space, data sets, confidential information to attack others.
- Demand that your municipality (for home and work) increases their cybersecurity budget to protect the public. We cannot roll our eyes at City Hall if we don’t also provide them the resources they need to operate well while protecting the public.