LAUREL, Md. — A hacker gets control of a water utility control system. Once inside, that hacker began to increase the amount of chemical lye into the water supply to toxic levels.
No, it’s not a movie script. This really happened in Florida this February, according to the Department of Homeland Security. Employees noticed the hack just in time to stop the water poisoning.
The prime question WUSA9 had for local water officials: Can it happen here?
"What you're seeing is just the steady drumbeat of cyberattacks, ransomware attacks, efforts at getting into and infiltrating systems by people trying to do identity theft," Dave McDonough, security director for WSSC Water, said.
McDonough said what happened in Florida can’t happen in our area because of one main precaution WSSC Water and other DC-area utilities questioned by WUSA9 took.
"Those systems that run water treatment, wastewater treatment, and distribution, all of those things are separate from the internet," McDonough said. "Some utilities have to use internet-connected devices to operationalize their systems. We're very lucky that we don't have to do that."
It’s not just water systems facing cyberattacks.
Critical infrastructure from power providers, to subways, boat ferries and food processing – all reported attacks nationwide in the past months. Hacker’s ransomware can take down a vital system for days including the Colonial Pipeline last month resulting in long lines at gas pumps.
One neighborhood in North Bethesda is an example of what it’s like to live with repeated utility outages. Water has gone out for up to a day three times in 12 months according to residents – the latest from an old burst pipe.
"It's so frustrating because we couldn't, we didn't have time to plan, and of course, it's never one of those things where you can plan for," North Bethesda resident Ah Tu Duong-Gaudio said. "Not being able to get the laundry, get the dishes done."
Maryland Gov. Larry Hogan has called on the federal government to “wake up” to the threat of cybersecurity in an op-ed, calling for legal penalties against companies failing to meet safety standards.
“I think Governor Hogan is right," Jamil Jaffer, founder and Director of the National Security Institute at George Mason University said. "The reality is the government itself is not as well defended as it should be. You see with the Solar Winds hack by the Russians, you saw the Microsoft Exchange hack by the Chinese, we know what happened previously with the OPM attack and all of the information about people’s security clearances going out the back door to China."
Dominion Energy spokesperson Rayhan Daudani told WUSA9 how the company is working to combat the threat of intelligence and the necessary steps they're taking to prevent such crimes.
“Dominion Energy works closely with others in the industry and government security experts to share threat intelligence and ensure we are prepared to protect and defend our networks," Daudani said. "The recent Executive Order will assist in that effort through greater awareness of vulnerabilities and cyber events, as well as by enhancing overall security practices for products and services used across the energy industry."
Jaffer added how the industry is going up against other countries and the impact they have when defending against a wide variety of resources.
“Industry is going up against nation-state actors [such as] Russia, China, Iran, North Korea," Jaffer said. "They have a hard enough tie defending against people who have virtually unlimited budgets, virtually unlimited human resources, to go up against it. So what we really need is the government and industry to come together to collectively defend against these threats."
Regarding privacy, Jaffer said if you anonymize the data, it could possibly solve the problem.
"Remember, what we’re talking about is not email content," Jaffer said. "We’re talking about cyber threats. We’re talking about where the threat is coming from, what the file is, the information that’s inside the malware. It’s not about what they’re saying in their email, what are they saying to their friend, their co-worker.”