As American cities embrace tech, cyberattacks pose real-world risks

Jack Graham –

The word “cyberattack” usually brings to mind hackers breaking into a company or government agency, wreaking havoc and stealing valuable data. But for an employee at a Florida water treatment facility, an even scarier event took place in February.
On his shift at the plant, which treats water for about 15,000 people in Oldsmar, a town near Tampa, he noticed that the levels of a chemical additive in the water were increasing.
Hackers had remotely gained access to the plant’s computer system and were adding more sodium hydroxide to the water supply. Typically used in small amounts to control acidity, at higher levels it can become dangerous to drink. The employee alerted his boss, the command was reversed and the crisis was averted.
But for cybersecurity experts in North America, the Oldsmar attack is a warning of how the shift towards smart technologies like remote access during Covid-19 is making cities and their critical infrastructure more vulnerable to attacks.
“Digital transformation has a soft underbelly, which is a digital risk,” said Grant Geyer, chief product officer of Claroty, an industrial cybersecurity firm headquartered in New York. “The same connections that enabled new emerging technologies to help the world also provide the perfect venue for cybercriminals and nation-state-sponsored actors to conduct malfeasance, not just in the cyber world but (also) in the physical world,” he said in a phone interview.
That means it is not only private digital information that could be at stake, but also the water people drink, the energy they use and even their lives. Last September, German prosecutors opened a homicide case after a woman died when her ambulance had to be diverted because the first hospital it arrived at in Duesseldorf was unable to admit her due to a cyberattack.
If prosecuted, it would be the first case of someone dying as the direct consequence of a cyberattack.
Several major US cities, including Los Angeles and New York, have poured resources into their cybersecurity efforts. However, many small- and mid-sized cities lack the funding and expertise to bulk up their cyber defences, said Scott Shackelford, chair of the cybersecurity programme at Indiana University Bloomington, who runs a free cybersecurity clinic.
Mostly catering to local governments, the clinic advises on things like managing data and dealing with ransomware — a type of malicious programme hackers use to take control of computer files so they can demand hefty payments to recover them.
— Thomson Reuters Foundation