By Gwin Hall, GMA Senior Associate General Counsel
In early February, a water treatment plant in Oldsmar, Fla. was hacked by cybercriminals in a frightening reminder of the vulnerability of public technology infrastructure.
The attacker used remote access to the system to change the programmed level of lye for the water from 100 parts per million to 11,100 parts per million. Luckily, this change was detected immediately by a plant operator, who was able to change the lye level back to normal before the hack affected the water supply.
The hackers apparently accessed the plant’s controls through a remote access software that had been installed on the plant’s computers by the water treatment plant. The initial investigation suggests they got credentials to access the computers through a leaked database. While the “who” and “how” of the attack are still under investigation, the hack reminds us of the constant need to safeguard public technology infrastructure from those with ill intent.
It is a reminder that cities across the country, including here in Georgia, would do well to heed. In the past few years many Georgia cities have been victims of hacking or ransomware attacks, which have in some cases caused complete work stoppage and cost the affected cities thousands of dollars. The recent attack in Florida, had it not been caught, could have been much worse and created a public health crisis.
Acknowledging this growing threat, the Georgia General Assembly has introduced at least two bills which aim to address government issues with cyber security. HB 134, by Rep. Victor Anderson (R-Cornelia), was introduced to allow city councils (and other “agencies” as defined in the Open Meetings Act) to discuss cybersecurity plans and contracts for cybersecurity services in executive session.
Votes would not be binding until the city council voted in an open meeting to approve the contract, but, at the time of the writing of this article, the bill would allow the details of the cybersecurity planning to be kept from the public. Also, at the time of this writing, the bill contains provisions that would allow certain records relating to cybersecurity devices, or systems designed to protect against attacks, to be exempt from public disclosure under the Open Records Act.
As introduced, HB 156 by Rep. Don Parsons (R-Marietta) required local governments to report cyberattacks or significant cyber incidents to the state director of emergency management and homeland security (GEMA). The bill also contained similar language to HB 134 concerning executive sessions and the Open Records Act.
We recommend that city officials follow the GMA legislative tracker and communications on these and other bills. Additionally, city officials should be vigilant about their public technology infrastructure and work to ensure that safeguards are in place to prevent attacks that could be damaging to your communities.
This story originally appeared in the March/April 2021 edition of Georgia’s Cities magazine.