poisoning of tap water

The Sentryo Files examine a past cyberattack aimed at poisoning tap water in the US state of Georgia.

Residents left without tap water after an attack on a water treatment plant

In 2013, someone broke into the precinct of the water treatment plant and managed to change chemical levels used to treat the water. Around 400 residents of Murray County in Georgia were left without tap water for several days.

Physical break-in at a water treatment plant

No Trojan horses or backdoors were used in this cyberattack: the attackers ‘simply’ broke into the plant by hopping over the barbed wire fence! There were no signs of forced entry on the doors or the windows of the operation control building. Furthermore, the GPS in employee vehicles showed that the employees were nowhere near the plant at the time of the intrusion.

Chlorine and fluoride in toxic doses

The intruders gained access to the plant control system and were able to change the amount of chloride and fluoride normally added to treat water.

Residents left without tap water

The company in charge of the water treatment plant was forced to inform the public and health authorities ordered residents not to consume tap water. More than 400 residents supplied by the water treatment plant were left without tap water for several days.

Secure a critical industrial system against physical intrusion risks

The way the intruders broke into the plant shows that securing physical access to a critical infrastructure must not be overlooked when securing industrial systems.

Protection measures

To protect yourself from this type of attack, various protection measures can be taken:

  • Reinforced control of physical access: the barbed wire fences around the water treatment plant were not enough to prevent the attackers from breaking into the precinct.
  • Surveillance of areas at risk in order to detect break-ins and possibly identify the intruders
  • Revoking access rights when employees leave their jobs at the plant to ensure they don’t later break into the site
  • Security supervision of the industrial site and IT systems in order to detect suspicious changes to settings such as the amount of chloride and fluoride in the water
Potentially serious consequences
It wasn’t easy for the residents of Murray County to go without water for several days; however, things could have been worse. The consequences of poisoned water on the public’s health could have been a lot more serious had the weekend staff not detected the changes to the amount of chemicals used to treat water.

Critical infrastructures, such as essential service operators, must implement tailored solutions to ensure protection against physical intrusions and the risks of remote cyberattacks.

Want to dig deeper?

Read our account of another cyberattack on a water treatment plant in 2015.