Michigan Looks to Bolster Water Plant Cybersecurity

(TNS) — The Michigan Department of Environment, Great Lakes and Energy (EGLE) is urging water plants to check their security protocols following a breach in Florida where a hacker tried to poison municipal drinking water.

The state issued the bulletin on Thursday, Feb. 11, roughly a week after the Oldsmar, Fla. incident on Feb. 5, which was noticed by operators before anyone was harmed.

Sodium hydroxide, which regulates alkalinity, minimizes corrosion and helps remove heavy metals from treated drinking water, was boosted to dangerous levels in Oldsmar by someone who assessed the treatment control system remotely.

The incident has raised alarm around the country.

In an “urgent message” on Thursday, EGLE stressed awareness and pushed plants to ensure they have security protocols in place to avoid such an incident in Michigan.

“If you allow some level of remote monitoring and operation of your facilities, please consider adding additional safeguards like establishing chemical dosage limits, eliminating equipment overrides and reducing controls on systems to minimize the impact of this type of security breach,” the state alert read.

Bonnifer Ballard , director of the Michigan section of the American Water Works Association, said the Florida incident has grabbed the attention of water plant operators.

“It’s generated a lot of discussion, that’s for sure,” she said.

Ballard said such a breach is technically possible at water plants in Michigan, but there are safeguards in place and cybersecurity audits are required by federal law.

Ballard said breaches like the one in Florida are unlikely to succeed because even small water systems have humans who monitor treatment levels and they are trained to spot and respond to irregularities.

“Even though a lot of this stuff can be controlled by a computer it’s still monitored by humans,” she said. A chemical feed “doesn’t have to be off by a lot” before it gets noticed.

“It gets your attention pretty quickly.”

“The odds that this kind of hack could actually have a negative impact I see as slim, but there is technically the possibility that it could happen,” Ballard said.

Ballard said the Florida incident underscores the importance of human eyes on the treatment process and the need to invest in municipal utility staffing.

The association does cybersecurity training and is mulling some new free webinars.

“We are all aware it can happen,” she said. “But operators are so involved in monitoring those systems that even if a hack happened, it’s pretty quick to circumvent whatever they are trying to do. That gives us a certain measure of confidence because we know we have the ability to intervene.”

(c)2021 MLive.com, Walker, Mich. Distributed by Tribune Content Agency, LLC.