I am so glad to see this is the top comment. Hacks on public infrastructure feel to me like one very small step away from actual military actions. I don’t understand why they never seem to be reported with the gravity they deserve.
For all we know, this is the 100th such attack on US infrastructure and this is just the first one reported in recent memory.
A successful attack is much less likely to be made public, for obvious reasons. We may have suffered from successful attacks and not know it (small enough concentrations of contaminants can’t be tasted)
Install water filters, HN. Use them. We have AquaSana under-the-sink in several locations through the house... no pitchers. Whole-house filters do not filter nearly the same variety of crap that under-the-sink and PUR pitchers do. Say no to Brita. Learn your NSF ratings and choose wisely.
It will if it's reverse osmosis (RO), but not all filters do that. That particular brand sells both RO and non-RO units. If it's a vast excess of NaOH, you'll have other problems besides your water filter failing, like chemical burns.
Most US tapwater is fantastically clean and drinkable, and doesn't generally need a filter. The Safe Drinking Water Act is pretty powerful stuff.
US tap water is generally so high in chlorine that to people from Western Europe it smells like pool water, even in places that are proud of their tap water like NYC. Having lived here for ten years now I can no longer smell it when I turn on the sink, but visitors still can.
I live in Seattle, WA, which apparently has some of the cleanest water in the country.
I use one of those under-the-sink inline charcoal cartridge filters on the sink we use to make tea or cook with. If I grab some water from a different tap, you can tell immediately by the smell (chlorine) and the taste.
I'm surprised the filter takes out the chlorine honestly, but it's clearly taking out a bunch of stuff from what is otherwise considered very clean.
That said, having travelled extensively through places like India, South America, East Asia, etc., I'm certainly grateful for the water we have "on tap" in the house. It's easy to take for granted.
You can blame the EPA for mandating chlorination in Seattle's water supply. The watersheds that feed into Seattle drinking water are "Surface Water" and considered high risk by the EPA. This risk assessment is probably more accurate in the rest of the country; our protected watersheds are fairly uncommon. But we don't get any special exemption.
EPA mandates a floor of 0.2 mg/L chlorine for all Surface Water based drinking water supplies at all times[0]. There are additional chlorine requirements depending on what sort of filtration you perform, if any, and how far the first service connection is from the chlorine insertion, in minutes. (They also mandate a safety ceiling of 4 mg/L for all drinking water.) This level is continuously monitored.
Seattle does about 1 mg/L to meet these EPA-imposed requirements.[1]
Chlorine evaporates out of water, so if you don't like the taste, you can just let tap water sit a while. Sunlight helps. Boiling water (e.g., for tea) also removes most of the chlorine.
Weird. Here in Germany we have some protected watershed areas on smaller rivers that directly feed a surface reservoir, created in the river valley through a dam.
They get filtered, but there is no chlorine directly. Some chlorine dioxide is used at the end, though. Here's the official description of the utility, translated to english:
- Via a raw water pumping station, the dam water first reaches the micro-screening plant. It removes coarse contaminants over 35 ~ µm in diameter through stainless steel mesh filters. This provides special safety in times of mass algae growth or during floods.
- Subsequently, the raw water is de-stabilized with a flocculant; and turbid matter accumulates to form large flocs.
- In filter stage 1, two filter materials of different coarseness are used to remove the flocs.
- Ozone is then added to disinfect the raw water.
- Filter stage 2 is equipped with activated carbon and frees the raw water from the reaction products of ozonation. Excess ozone reacts to form oxygen and is thus removed from the raw water.
- The further filter stage 3 uses natural limestone material over which the water flows. Here the excess carbonic acid in the water is removed.
Finally, a small protective disinfection with chlorine dioxide takes place before the drinking water leaves the clean water tank in the direction of <city>.
The steps are similar in Seattle, although I think we filter less. I'm having a hard time finding a concise but also technical description of water treatment steps. We definitely do:
- Ozone disinfection, and removal
- Tolt river supply only: water conditioning by filtering through "granular media." (Cedar river supply is clear enough without this step.)
- UV disinfection
- pH adjustment to avoid corroding pipes
- Flouridation for public health
- Chlorination as a final step as water leaves the treatment plant, and also at some downstream facilities (like a networking repeater; just to maintain chlorine levels that would otherwise have fallen due to distance from the upstream chlorination site)
I had some tap water in Scotland about 20 years ago and I still remember how amazing it tasted. This was in Aberdeen area if that makes a difference. It was like the finest artesian spring water I’ve ever had.
> Most US tapwater is fantastically clean and drinkable, and doesn't generally need a filter.
It is my understanding that most municipal water utilities only test water quality every 3 months. A problem can come and go between testing cycles.
Even with weekly testing, I’d expect the same risk (there’s still a window between tests). Basically you’re only going to know about a problem when it’s too late.
It depends on what contaminant you are measuring, but the testing frequency can vary from "every several years" to "continuously monitored and sets off a SCADA alarm if it exceeds a given threshold." The biggies--IIRC, turbidity, pH, and dosages of coagulant and treatment chemicals--are logged every 15 minutes, with more tests happening on hourly 6-hourly, and daily frequencies, followed by yet more contaminants happening largely on monthly or quarterly assessment bases. The issue in question would have shown up in a pH measurement, so there's no reason it shouldn't have been caught within minutes.
You also have to look at the success and failure rates of those tests. Most tests reveal no problems, which implies periodic sampling is plenty to handle the rare problems that crop up. If we found more problems, we would demand more testing, but increased testing is pointless if there is no problem to be found. In reverse, if the tests are not specific enough, they can cause issues when you over test due to false positives on the tests.
Indeed, you'll see that if a water test comes back positive, there will be multiple retests and a much greater rate of testing until the problem is abated, at least at my local drinking water board.
The whole of it. You stated that most municipal water supplies aren't monitored for months at a time. This is extremely incorrect. The EPA-mandated quarterly report is a summary, not the entirety of samples collected. It would be dangerous and reckless not to monitor drinking water for months at a time.
E.g., Seattle explicitly states:
> We monitor your water 24 hours a day, 365 days a year. We test samples from the region between 10 and 100 times per day.
> To ensure the safety of our drinking water, SPU's water quality laboratory analyzes over 20,000 microbiological samples each year (more than 50 a day) and conducts chemical and physical monitoring daily, 365 days per year.
While you can definitely make a respectable living in the cybersecurity industry the fact of the matter is that over that same time period the people vomiting JavaScript trackers all over the internet made the same or more money with less effort invested.
Sure, go into security, help make the world more secure... meanwhile I’ll be here writing some JavaScript making twice what you make and working probably half the hours you do.
It's been established that security itself does not increase revenue nor make the quarterly returns look good. Unless there's an incentive for key stakeholders to spend more resources to strengthen the security of their deliverables, it is unlikely for things to change in the near future.
Perhaps a change in KPI or regulation requirements may create such incentive to ensure appropriate actions are taken.
Because this is most likely "teenager broke into a poorly secured shack and turned a random valve to be naughty", not "state actor sabotaged critical infrastructure".
(Still, the problem remains: if a naughty teenager can turn a valve for shits and cause a threat to public health, then perhaps that valve needs some access control.)
