News / Utah / 

Studio 37/

Safeguarding Utah's water systems against threats

By Lauren Bennett, KSL | Posted - May 22, 2019 at 8:23 a.m.

3 photos

This archived news story is available only for your personal, non-commercial use. Information in the story may be outdated or superseded by additional information. Reading or replaying the story in its archived form does not constitute a republication of the story.

PROVO — When it comes to water, technology isn't the first thing that comes to most people's minds.

But as Richard Gardner, with the U.S. Department of Homeland Security, discussed Tuesday at the third annual Central Utah Water Symposium on safeguarding water, extreme threats and risks exist for water systems if poor cybersecurity is implemented.

Even basic security such as two-factor authentication, strong passwords and cutting all access from former employees can help mitigate the risk of hacking, he said.

"The more difficult it is for you to ultimately access something, it's harder for someone else to do that," he said.

Gardner is the cybersecurity adviser for the region that includes Utah, Colorado, Montana, Wyoming, North Dakota and South Dakota. In addition to his lecture on cybersecurity, others spoke on wildfire mitigation, natural disaster impacts on water and funding a resilient water future.

During his presentation to about 200 people in attendance at the Utah Valley Convention Center, Gardner urged those who rely on computer systems in their jobs to use Homeland Security's free cybersecurity assessments.

In the digital age, most workplaces implement best practices when it comes to cybersecurity. However, in the water industry, the consequences of a hack could be far more detrimental than losing a few files.

"We're worried about contamination all the time," said Kathryn McMullin, another presenter with the Division of Emergency Management in Utah's Department of Public Safety. "We're all learning how fast and furious we are vulnerable to a contamination event."

In 2006, a water treatment plant in Harrisburg, Pennsylvania, was compromised by foreign hackers, Gardner said. While it appeared the attack wasn't targeted, he said the intruder still planted malicious software capable of affecting the plant's water treatment operations.

The security threat was caused through the internet on an employee's laptop. Lessons learned from this incident include the need to secure remote computers, create firewalls and patches to fix system errors, and to update and check systems regularly, he said.

Richard Gardner, with the U.S. Department of Homeland Security, discusses cybersecurity in regards to water systems during the third annual Central Utah Water Symposium at the Utah Valley Convention Center Tuesday May 21, 2019. Photo: Lauren Bennett, KSL

"The less overall access that people have to your systems, the better," Gardner advised.

While the recent water scandal in Sandy — where fluoride was accidentally pumped into the city's water supply, contaminating over 1,000 households, schools and businesses — wasn't due to a cyber issue, it shows the impact a water mishap can have on a community.

Gardner mentioned employees should be wary of phishing scams but he also warned of the more undetectable spear-phishing scams where instead of spamming several people, hackers will do research on one person through social media and use their information to target them for the scam.

Ransomware, where hackers hold a website hostage, are usually masked as system updates and a common scam, Gardner said. The city website for Baltimore, Maryland, was recently seized by hackers who demanded payment before they released the site back.

Gardner advised people to only download system updates from the vendor directly and regularly test backup and recovery procedures.

Ransomware is one thing that especially scares Jason Hoyt, electrical group manager for Central Utah Water Conservancy District. He's in charge of the supervisory control and data acquisition, which is an industrial computer that operates water systems such as dams or wells.

Kathryn McMullin, with the Utah Division of Emergency Management, discusses environmental health after critical infrastructure failure at the third annual Central Utah Water Symposium at the Utah Valley Convention Center Tuesday May 21, 2019. Photo: Lauren Bennett, KSL

"We're very concerned about (hacking) and we work hard to make sure that doesn't happen," he said. "We're very concerned about being hacked. But in the same sense we're not real concerned because we feel like we've taken the appropriate steps to protect ourselves."

Their supervisory control and data acquisition system operates sites such as the Jordanelle Dam and Olmstead Diversion Dam and the district sells irrigation and drinking water that impacts about 80 percent of Utah's population, he said.

Another potential threat to water systems, brought up by McMullin during her presentation was low public education and awareness. Mainly, when it comes to reporting suspicious behavior and proper safe water practices in the event of a natural disaster.

She discussed a study completed by the Environmental Protection Agency to determine if backflow water contamination through fire hydrants could be successful.

"So what they did was they connected a service connection pump backed to a fire hydrant," she explained. The study was completed with law enforcement and the local water district's knowledge.

She said a team of people wearing plain clothes in an unmarked van completed the experiment where they pumped non-toxic food grain solution of potassium chloride in a fire hydrant for more than eight hours in a community neighborhood.

"They were highly successful, it went all the way through the system," she said. "The concerning things about this is one — it was unmarked (van), right? — nobody said a word. They spent less than $200, and not one resident ever questioned what they were doing."

Had their intentions been malicious, they would have gotten away with contaminating an entire water system in a public place. McMullin urged attendees who work in water districts to participate in community outreach to raise awareness and education about suspicious activities.

"Do you do any outreach within your community, your customers, that they're watching for suspicious activity that they can feel free to contact you if they see something strange?" she asked the audience.

McMullin said she's currently working with Utah Department of Health to qualify critical utility workers for vaccination prioritization, which she said is currently reserved for hospital personnel such as surgeons.

"Because I need you guys to be able to go to work and protect your families and keep us up and running," she said. "That hospital doesn't have anything if they don't have water and wastewater."

McMullin talked about the significant impact of an earthquake along the Wasatch fault line will have on the state, including liquefaction, building damage, waste disposal issues and damaged water systems.

She used the 2010 Haiti earthquake as an example of the importance of proper water use in a disaster, noting that because of improper waste disposal, 1.1 million people were infected with cholera and 4,500 died as a result.


Related Stories

Lauren Bennett

    KSL Weather Forecast