Skip to content

Hackers attempt to poison the well, but AI cybersecurity solutions bolster water treatment facility security

After a breach at a Florida treatment facility, tap water security is front and center. In the digital age, there are no shortages of challenges in the pipeline between facility and spigot.


Image: iStock/tuachanwatthana

After a cyberattack on a Florida treatment facility, conversations surrounding tap water security are front and center for IT teams and H2O-quaffing humans alike. Around the U.S., artificial intelligence-enabled autonomous systems are providing round-the-clock monitoring and response for short-handed IT teams with finite budgets facing increasingly sophisticated threats on utility infrastructure in the digital age.

SEE: Identity theft protection policy (TechRepublic Premium)

More about cybersecurity

Florida breach: A security “wake-up call”

In February, Pinellas County Sheriff Bob Gualtieri held a press conference explaining a cybersecurity attack on a Florida water treatment facility that reportedly involved increasing the sodium hydroxide—a component found in myriad household cleaners—to potentially dangerous levels.

“[For] over a decade, they’ve been screening from mountaintops. Watch out for these types of things, these are the kinds of threats we’re going to be seeing,” said Bryon Black, IT manager at South Coast Water District in Laguna Beach, California.

“I think between the SolarWinds [attack] and then what we saw in Florida was a huge wake-up call and it made it real,” he continued.

The South Coast Water District facility sees a variety of cybersecurity threats, according to Black, ranging from email phishing to social engineering schemes; efforts designed to obtain or mislead individuals into divulging sensitive security information.

“If they get a credential, they could leverage that to help them gain entry to perhaps [an] enterprise system and then laterally move over to the operational system,” Black said.


Image: iStock/DedMityay

Phishing, social engineering and WFH vulnerabilities

The district has conducted social engineering experiments, according to Black, and during these assessments, a cybersecurity consultant posing as a member of the IT department called operators pretending to have an issue with the email system in an attempt to obtain usernames and credentials.

“Some of them willingly gave [credentials] up, so that’s a pretty easy way for them to do that,” he said.

Across industries, remote work has presented a host of security vulnerabilities, and new entry points as telecommuters log on from personal devices on their home networks and these risks also extend to the utility network.

To set up what Black described as a rather “primitive way to use two monitors” at home, one remote employee at the company sparked a data exfiltration issue when they started emailing internal spreadsheets to their personal email address on their personal computer, according to Black.

Tapping autonomous AI security systems

To identify and mitigate threats, the water treatment facility has tapped Darktrace’s AI monitoring system. Black said the autonomous capabilities have provided the team with enhanced clarity about its network and how its staff operates. In fact, he said the algorithm detected the aforementioned dual monitor incident and alerted the team.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

Almost immediately after the AI system was deployed, Darktrace identified previous blind spots and weaknesses, Black said. During an early demo, the software system provided an alert when a laptop at one of the organization’s remote sites was connected after being out of use for more than five years, he said.


Image: iStock/avigatorphotographer

Snoop and sift: Needles in digital haystacks

Such a threat exists as just one of the innumerable known and unknowns facing treatment facilities at any given moment.

To illustrate the complexity associated with locating a particularly high-risk potential threat in a cluster of other potential threats, Black used the needle in a haystack analogy: Rather than “trying to sift through every piece of straw,” the algorithm serves as an “appliance,” that automatically scrutinizes these risks and highlights few specific needles in the larger haystack.

“It has the ability to watch many haystacks and I don’t have to go sorting through the haystacks to figure out what’s going on or where things are happening,” he said.

Historically, cybersecurity at the Laguna Beach facility has relied on “traditional static systems” such as firewall, spamware, malware, internal education, best practices outreach and “aggressive patching,” Black said.

“We just build different moats around the castle. Hopefully, that makes it unattractive for an attacker to come in. But they’re not dynamic, so it’s highly reactive,” he said.


Image: istock/djedzura

Proactive approaches and “force multipliers”

Matthew Wainwright, CIO of Middletown, Rhode Island, who oversees its wastewater treatment network, echoed similar sentiments regarding this past reactive approach, citing the facility’s limited staff.

“I speak for probably a lot of my peers across the country, they don’t have the people to respond. So what’s happening is, these attacks are coming in and when you go to respond to the attack, it’s just not in a timely manner. And by the time you do, it’s too late,” Wainwright said.

These autonomous capabilities have enabled a proactive rather than a reactive approach to cybersecurity, Wainwright said, and the tool exists as a “force multiplier” for the small IT team overseeing the network.

Delivering the daily miracle

In the past at the South Coast Water District, Black said these threats have caused him to worry about what could be happening at the facility at night but said he’s able to sleep a little better knowing this autonomous system is monitoring the network.

The autonomous response allows the system to take actions to mitigate risks as they arise and the team can then take additional actions as needed once they have a better understanding of the situation, Black said.


Image: iStock/dangphoto2517

During a cyberattack, time is critical. An automated response comes in at “machine-speed” while humans in the loop assess scenarios that could be the difference between free-flowing safe tap water and a potentially dangerous scenario at-scale.

“Technology that can detect, fight back, and even investigate cyberattacks autonomously enables the limited number of human analysts to focus on strategic tasks and equips human analysts to prevent machine-speed attacks,” said Justin Fier, director of cyber intelligence and analytics at Darktrace.

It’s estimated that the average person uses upward of 100 gallons of water each for everything from hydration to hygiene, according to the USGS. There’s certainly no shortage of physical, abstract, and existential threats facing this critical supply between the treatment facility and the trusty spigot; nothing short of a modern miracle.

“[Water is] something we all take for granted. It comes to us miraculously,” Black said.

Also see