Could Hackers Poison Your Local Drinking Water?

February 17, 2021
Worker Chris McKirryher monitors pumps, filters and water storage at the Vergennes-Panton Water District in Vergennes, Vt. The computerization of drinking water systems makes them more vulnerable to hacking. Photo: U.S. Department of Agriculture Rural Development/Bob Nichols. Click to enlarge.

TipSheet: Could Hackers Poison Your Local Drinking Water?

By Joseph A. Davis

An unknown hacker on Feb. 5 penetrated a computer that controlled a Florida drinking water plant and tried to inject over 100 times the normal amount of sodium hydroxide, otherwise known as lye, into the water. 

A wide-awake operator quickly stopped the attack. But it raises the question of whether utilities are doing enough to keep our water safe. And for environmental journalists who have not written much about drinking water security, there is likely a story of similar risks to be reported in many communities.

The vulnerability of drinking water systems to hacking is an important story — but it is hardly the biggest threat people face related to drinking water. Context and proportion are crucial. Remember, in most cases, water pollution is worse.


Why it matters

Most residents of the United States have running water and get it from a public water system. There are almost 150,000 of them around the country, serving more than 280 million people.

The treatment plants at these public water systems protect people from threats like cholera and toxic chemicals. And because we are so dependent on drinking water treatment, failures can threaten our health instead of protecting it.

A water treatment plant does quite a few things. It screens the water to remove large solids. It settles the water to remove most suspended sediments. It flocculates the water to remove most dissolved solids. It may use further filtration techniques to remove more contaminants, especially ones that do not precipitate out in flocculation. 

There’s more: A treatment plant adds chemicals (e.g., sodium hydroxide) in small amounts, to condition the water for purposes like reducing corrosivity (that’s what can mobilize lead from pipes). It adds things like fluoride, considered to reduce tooth decay. It adds small amounts of disinfectants like chlorine, to kill harmful pathogens. 


Each one of these processes is meant to make

the water more healthful, but when any one

of them goes wrong, it can create health threats.


All along the way, the water may be tested and monitored to make sure things are working right. That’s also crucial to keeping people safe. Each one of these processes is meant to make the water more healthful, but when any one of them goes wrong, it can create health threats.

Many of these systems are so small that they can not afford a full-time treatment plant operator, much less an IT person. Done correctly, remote operation can help. Done poorly, it could make a plant vulnerable to hacking.


The backstory

But if you’re worried about hacking, don’t forget that cholera is worse. It wasn’t until 1854 that Dr. John Snow, suspecting cholera was a waterborne disease, removed the handle of the Broad Street pump in London to prevent residents from using the water. 

Cholera and typhoid were still fatally common in U.S. cities as the 20th century began. Since 1900, when much of the water and sewer infrastructure was built in U.S. cities, the incidence of waterborne disease has dropped dramatically.

Of course, the 20th century revealed a new host of other health harms from contaminated water, and we haven’t yet addressed all of them. The Safe Drinking Water Act of 1974 set the U.S. Environmental Protection Agency, states and local utilities on the road to addressing and fixing them. Mostly.

And when the massive terrorist attacks hit on Sept. 11, 2001, the United States became concerned about threats to all kinds of critical infrastructure. The Bioterrorism Act of 2002 contained a whole title on drinking water security. Drinking water systems were an obvious point of vulnerability to chemical, biological or radiological attack by terrorists or other wrongdoers. 


Water system vulnerabilities kept secret

The drinking water security law required water systems above a certain size to conduct vulnerability assessments to be submitted to EPA. But the legislation not only made them exempt from the Freedom of Information Act, it made it a crime to give them to anyone not authorized by the EPA administrator. 


The biggest secret of all may be

how easy it is for an amateur with

bad intent to figure out the vulnerable points.


The assessments were to be ultra-secret. Yet the biggest secret of all may be how easy it is for an amateur with bad intent to figure out the vulnerable points.  

The same water systems were also required to draw up Emergency Response Plans for dealing with a terrorist attack. In doing so, utilities were to coordinate with other agencies like police or hazmat units. The 2002 law did not require these to be disclosed, but did not explicitly forbid disclosure either. So a resourceful journalist could possibly get a look at the local plan.

To help accomplish all this, Congress authorized and appropriated hundreds of millions for federal grants to local utilities for everything from doing studies to buying taller fences. It’s complicated, but there’s at least one thorough accounting of this money.

It’s been nearly 20 years and the secrecy has mostly held, with scant coverage of drinking water security by journalists. Yet few agencies or utilities have publicly shown much improvement in security. A good many fences around reservoirs are just as short as they were two decades ago.


Weak links in the water system

While hacking is clickworthy, it’s worth remembering how many potential weak links there are in drinking water systems. In fact, it’s worth remembering all the roles computers can play in a system. 

A class of computer programs called “industrial control systems” does basic work like opening and closing valves. When these are accessible via networks, without good cybersecurity the plant may be vulnerable. 

But utilities have databases of customer billing and employee personal information that could also be a target. Hackers have found success using ransomware attacks on various municipal data systems (which can also be deflected with good cybersecurity). And few computer systems can protect against a disgruntled employee who has passwords and wants revenge (a threat perhaps more likely than one from terrorists).  

Computer systems fail too, even without bad guys. Low budgets, lack of training, obsolete hardware and software, sloppy password handling and lack of maintenance (e.g., software security updates) can paralyze and handicap systems all by themselves.

One telling story: the legendary Stuxnet worm, believed to have been developed by United States and Israeli cyberwarriors, damaged industrial control systems on Iranian uranium enrichment centrifuges around 2010. 

But computer malwares, like pandemic viruses, find their way through the human world on their own. By 2011, a version of the Stuxnet found its way to a treatment plant in Curran-Gardner Township Public Water District, near Springfield, Ill. Whether it was a deliberate attack (Russia was a suspect) or a stray copy of the home-grown Stuxnet remains murky. It did little damage.


Story ideas

  • Ask your local drinking water utility if it uses remote-control software. Ask if it has evaluated its security risks. Ask if it monitors for intrusions. Ask if it has updated and maintained its software.
  • Get the Consumer Confidence Report for your utility for the last five years. Get the compliance and enforcement records for your utility for the last five years. These may come from state drinking water agencies.
  • Get the source water assessment, if any, for your local utility.
  • Find out what disinfection method your utility uses. Does it use and store elemental chlorine (in large quantities it can be a serious hazard)? What other chemicals are stored in what quantities?
  • How often and how thoroughly is your utility’s water tested? Who tests it for what contaminants?  
  • Is your utility following EPA’s Cybersecurity Best Practices for the Water Sector?


Reporting resources

Joseph A. Davis is a freelance writer/editor in Washington, D.C. who has been writing about the environment since 1976. He writes SEJournal Online's TipSheet, Reporter's Toolbox and Issue Backgrounder, as well as compiling SEJ's weekday news headlines service EJToday. Davis also directs SEJ's Freedom of Information Project and writes the WatchDog opinion column and WatchDog Alert.

* From the weekly news magazine SEJournal Online, Vol. 6, No. 7. Content from each new issue of SEJournal Online is available to the public via the SEJournal Online main page. Subscribe to the e-newsletter here. And see past issues of the SEJournal archived here.

SEJ Publication Types: