The word “cyberattack” usually brings to mind hackers breaking into a company or government agency, wreaking havoc and stealing valuable data.
But for an employee at a Florida water treatment facility, an even scarier event took place in February.
On his shift at the plant, which treats water for about 15,000 people in Oldsmar, a town near Tampa, he noticed that the levels of a chemical additive in the water were increasing.
Hackers had remotely gained access to the plant’s computer system and were adding more sodium hydroxide to the water supply. Typically used in small amounts to control acidity, at higher levels it can become dangerous to drink.
The employee alerted his boss, the command was reversed and crisis was averted.
But for cybersecurity experts in North America, the Oldsmar attack is a warning of how the shift toward smart technologies like remote access during COVID-19 is making cities and their critical infrastructure more vulnerable to attacks.
“Digital transformation has a soft underbelly, which is digital risk,” said Grant Geyer, chief product officer of Claroty, an industrial cybersecurity firm headquartered in New York.
“The same connections that enabled new emerging technologies to help the world also provide the perfect venue for cyber criminals and nation-state-sponsored actors to conduct malfeasance, not just in the cyber world but (also) in the physical world,” he said in a phone interview.
That means it is not only private digital information which could be at stake, but also the water people drink, the energy they use and even their lives.
Last September, German prosecutors opened a homicide case after a woman died when her ambulance had to be diverted because the first hospital it arrived at in Duesseldorf was unable to admit her due to a cyberattack.
If prosecuted, it would be the first case of someone dying as the direct consequence of a cyberattack.
Several major U.S. cities, including Los Angeles and New York, have poured resources into their cybersecurity efforts.
However, many small- and mid-sized cities lack the funding and expertise to bulk up their cyber defenses, said Scott Shackelford, chair of the cybersecurity program at Indiana University Bloomington, who runs a free cybersecurity clinic.
Mostly catering to local governments, the clinic advises on things like managing data and dealing with ransomware – a type of malicious program hackers use to take control of computer files so they can demand hefty payments to recover them.
“There (are) so many cities and towns coming to us wanting help,” Shackelford told the Thomson Reuters Foundation in a phone interview. “There’s a huge need that frankly is not being addressed.”
The U.S. Federal Bureau of Investigation received a record number of complaints of cyber crime in 2020, according to its annual internet crime report, representing a 69% increase compared to 2019 and losses exceeding $4.1 billion.
Analysts say one of the biggest challenges facing cities is finding cybersecurity experts, particularly outside major metropolitan areas.
Local governments struggle to compete for cybersecurity talent with the private sector, which usually offers far larger salaries, said Isaac Straley, chief information security officer at the University of Toronto in Canada, who also serves on Ontario’s cybersecurity expert panel.
“The talent that you need is a real issue, and I’m not seeing enough conversation on that,” he said.
One of the biggest concerns in the cybersecurity sector is that cities have not paid enough attention to protecting operational technology, referred to as “OT”.
Unlike information technology (IT), which deals with data, OT includes industrial control systems – or “ICS” – such as water and energy.
These industrial systems are often “air-gapped” – meaning they are disconnected from the internet so, in theory, unhackable – but experts say well-determined actors can still find ways to infiltrate them.
“Top of mind for everybody right now is OT, explicitly because it has an impact on health and safety and national security, in ways that cloud servers and emails never will,” said Robert Lee, chief executive of Dragos, an industrial cybersecurity company headquartered in Maryland.
As part of his $1.9 trillion COVID-19 relief bill signed into law in March, President Joe Biden announced $650 million in additional funding for the Cybersecurity and Infrastructure Security Agency (CISA) and $1 billion to update federal technology systems.
Eric Goldstein, executive assistant director for cybersecurity at CISA, said home working and resource constraints brought on by the pandemic have made state and local governments increasingly vulnerable to cyber threats.
“CISA has prioritized working with state and local governments to ensure they understand the risks they face and are taking steps to protect their systems, especially those connected to critical services,” he said in emailed comments.
This has included launching a ransomware awareness campaign, sharing real-time threat information from intelligence, and providing tools and resources to help IT professionals, Goldstein said.
Following the National Defense Authorization Act passed last year by Congress, CISA is also in the process of hiring cybersecurity coordinators for each state to liaise between the agency and state and local officials.
Lee at Dragos said it is vital that the new administration works across sectors to create a stronger cybersecurity ecosystem instead of relying too heavily on federal agencies to patch vulnerabilities.
The majority of U.S. internet infrastructure and critical infrastructure like water and electricity is owned by corporations, he noted.
“The way the United States succeeds is by playing with a full hand – we’ve got a very competent and excited and innovative private sector,” Lee said.
New York City, for example, set up the NYC Cyber Command in 2017 to coordinate between government departments and work in partnership with the private sector, an initiative that is frequently praised by cybersecurity experts.
The organization has been working across more than 100 city agencies to build cyber resilience, Colin Ahern, deputy chief information security officer for the city of New York, said in an email.
The idea, he said, is to focus on three things: spotting threats when they happen; having processes which enable a quick response; and using defensive technology to react to attacks which are now highly automated.
The best thing cities can do, regardless of their resources, is to change how cybersecurity is planned and executed, Ahern added.
This means educating city leaders about decisions they might have to make in crisis situations, and simplifying urban technology systems as much as possible, he said.
“Monolithic, overcomplicated systems are harder to both to maintain by technology teams and secure by cybersecurity teams,” he said.
“Complexity is the enemy of both reliability and security.”