Dayton’s drinking water systems have layers of security to curb hacking, officials say

David Huff, a city of Dayton water treatment plant operator, washes a filter while also practicing social distancing at the city’s Miami Water Treatment Plant on March 3. City water treatment employees continue to ensure customers get clean drinking water while also protecting themselves and co-workers during the COVID-19 pandemic.| CONTRIBUTED
Caption
David Huff, a city of Dayton water treatment plant operator, washes a filter while also practicing social distancing at the city’s Miami Water Treatment Plant on March 3. City water treatment employees continue to ensure customers get clean drinking water while also protecting themselves and co-workers during the COVID-19 pandemic.| CONTRIBUTED

A cyber attack like one recently attempted in Florida, where a hacker tried to add dangerous levels of chemicals to the drinking water is unlikely to happen in Dayton and some local municipalities because the operation of their treatment plants isn’t connected to the internet, city officials said.

Dayton also has several redundancies in place that makes it difficult for anyone to hack into the system and tamper with the drinking water, said Mike Powell, the city’s water director. Dayton supplies water to more than 400,000 people in the city and Montgomery County.

Not even Powell has the ability to access the system remotely, he said. Water security and safety are serious matters, and he and other city officials treat it as if customers are their relatives, Powell said.

ExploreCOVID-19: Safe water systems crucial during outbreak

Dayton has employees working 24 hours a day who monitor the Supervisory Control and Data Acquisition ― SCADA ― the water plants’ operational systems, to ensure that everything runs as it should, and no one tampers with it, he said.

A security team also is devoted to monitoring the plants and SCADA for physical and virtual threats, he said.

“This is what we do,” Powell said.

The city of Xenia water treatment plant’s SCADA also is not connected to the internet because of security reasons, said Joe Bates, water treatment supervisor.

A hacker gained entry to the system controlling the water treatment plant of a Oldsmar, a Florida city of 15,000, and tried to taint the water supply with a caustic chemical, exposing a danger cybersecurity experts say has grown as systems become both more computerized and accessible via the internet.

The hacker who breached the system at the city of Oldsmar’s water treatment plant on Friday using a remote access program shared by plant workers briefly increased the amount of sodium hydroxide by a factor of one hundred (from 100 parts per million to 11,100 parts per million), Pinellas County Sheriff Bob Gualtieri said during a news conference Monday.

Experts say municipal water and other systems have the potential to be easy targets for hackers because local governments’ computer infrastructure tends to be underfunded.

Robert M. Lee, CEO of Dragos Security, and a specialist in industrial control system vulnerabilities, said remote access to industrial control systems such as those running water treatment plants has become increasingly common.

“As industries become more digitally connected, we will continue to see more states and criminals target these sites for the impact they have on society,” Lee said.

ExploreDayton loses billions of gallons of water every year. What is it doing to stop the costly leaks?

Eight years ago Dayton officials made the decision not to put the computer systems that control its water plants on the internet because they noticed cybersecurity threats were on the rise, Powell said. The city also joined associations such as the Water Information Sharing and Analysis Center ― WaterISAC ― that alerts them whenever threats or other issues emerge relating to drinking water.

About 6 a.m. Tuesday, Powell received an alert from WaterISAC informing him about the breach in Florida and recommending eight action steps water utilities needed to take immediately to avoid similar hacks. Powell reviewed the list and said Dayton had already taken all those steps, he said.

The security team is also proactive, he said, frequently looking for potential entry points into the plants and their computer networks, and blocks them. The system is updated regularly with the latest security programs, and devices are upgraded or replaced before they reach the end of their useful life, Powell said.

They also conduct an annual emergency response exercise that includes cybersecurity and cyber threat scenarios in real time. The staff is tested on how proactive they are and how well they respond to threats. The city also brings in a water systems cybersecurity expert from the Texas A&M university for the exercise. He tells them things they did well, areas of improvement and changes they need to put in place.

In addition, the city’s two water plants run on separate operational systems, so problems at one plant don’t affect the other, Powell said.

“There is a cost to to being proactive, but we feel that that cost is (necessary) because it prevents the much larger expense and consequence of being reactive,” he said.

ExploreEPA awards $73M to Dayton for water infrastructure improvements

The city’s water is distributed to about 250,000 in Montgomery County. Customers who live in the northern part of the county gets their water directly from the city. Water from the city goes to pumping stations in the county that is distributed to southern customers.

Montgomery County’s SCADA system operates on a closed system, which is only accessible remotely by a select few people, said Matt Hilliard, the county’s environmental services director. Multiple levels of security, authentication requirements and emergency notifications are in place to ensure systems are protected to the highest level, he said.

“I just hope that the customers can rest assure that we’re working 24/7 to keep them safe,” Powell said. “We appreciate the confidence they placed in us to be able to deliver a commodity that’s as valuable as water to them.”

The Associated Press contributed to this report.