In February, a hacker broke into a remote access program at a Florida city’s water treatment plant and briefly raised the amount of lye from 100 parts per million to 11,100.
According to the Associated Press, a supervisor for the city of Oldsmar’s plant saw a mouse icon moving across a computer screen and tampering with the chemical. The employee managed to reverse the change, and investigators said there was no danger to the public.
Treatment plants, the AP reported, use lye to treat water acidity, but in large quantities it can cause irritation and burns. Oldsmar officials, the AP said, disabled the remote-access system and noted that there were additional safeguards to prevent the chemical from getting in the water supply.
The incident garnered national attention and has sparked scrutiny of the security of the nation’s water infrastructure.
Locally, Johnson City officials say there has been no evidence of any attempts to hack or intrude into the operations system at the city’s treatment plants.
The city has two water sources treated respectively at the Watauga Water Treatment Plant and the Unicoi Water Treatment Plant. They provide water to portions of four Northeast Tennessee counties, covering a service population of about 120,000 people.
Tom Witherspoon, director of water and sewer services, said the city has safeguards in place. Business systems such as email, the work-order system and Microsoft products are on separate servers than operations software. The two servers are not interconnected.
“Firewalls are utilized in accordance with industry standards,” Witherspoon said. “Water & Sewer Services works with the city’s IT department to train employees and monitor networks and technology.”
Communications between facilities and remote sites do not use an internet connection, he added. All changes to plant operations or remote sites also must be made in person from a secure centralized location that is staffed and monitored 24/7. Changes cannot be made remotely from laptops, desktops or smartphones.
“That is intentionally restricted,” Witherspoon said.
The limited number of automated systems would make it easier for employees to manually make adjustments in the event of a hack, Witherspoon said. He said Johnson City would be prepared to return to fully manual operation if necessary.
“Cybersecurity is an ever-changing landscape and challenge,” Witherspoon said. “What is currently in place may not be adequate in 3-5 years. It is important that our planning, system structural components and security be regularly updated and evaluated.
“While what we are doing today and historically has been successful, the challenges will continue to change and our preparation and modifications necessary to meet those challenges will also need to change. We believe that we will continue to be prepared.”