The Chlorine Pump Accepts Any Command

Water treatment plant SCADA systems that control chemical dosing — chlorine disinfection, fluoride addition, pH adjustment, coagulant injection — operate on the same unprotected OT networks as monitoring sensors, with no independent safety limits that would prevent a compromised SCADA system from commanding lethal chemical concentrations. The 2021 Oldsmar, Florida incident demonstrated this directly: an attacker remotely accessed the plant's SCADA system and attempted to increase sodium hydroxide (lye) dosing from 100 ppm to 11,100 ppm — a 111× increase that would have made the water caustic. The attack was stopped only because an operator happened to be watching the screen. Of approximately 52,000 community water systems in the US, EPA estimates that more than 70% have cybersecurity deficiencies, and the majority lack any independent safety instrumented system (SIS) that would override SCADA commands outside safe operating ranges.

Water treatment directly affects public health — chlorine under-dosing enables pathogen transmission, while over-dosing creates toxic disinfection byproducts. Chemical dosing errors at water treatment plants can affect thousands to millions of people within hours, with limited ability to recall distributed water. The consequences are asymmetric: a successful attack on chemical dosing could contaminate a city's water supply before the attack is detected. Municipal water utilities are among the least resourced critical infrastructure sectors — the median US water utility serves fewer than 3,300 people and has minimal IT staff, let alone cybersecurity expertise. Water sector SCADA systems are increasingly connected to the internet for remote monitoring and maintenance, exposing control systems designed for isolated networks.

CISA provides cybersecurity advisories and free assessments, but uptake is limited — small utilities lack staff to implement recommendations. EPA's efforts to add cybersecurity requirements to Safe Drinking Water Act surveys were challenged by state attorneys general and scaled back. Independent safety instrumented systems (SIS) exist in chemical and petroleum industries (IEC 61511) but have not been adopted in water treatment because the standard was written for large industrial facilities, not small municipal plants, and the cost ($50K–$200K per plant) is prohibitive for utilities with annual budgets under $1M. Network segmentation guidelines exist but many utilities operate flat networks where SCADA, business IT, and internet access share the same infrastructure. Commercial water treatment SCADA vendors have been slow to add cybersecurity features because their customers (small municipalities) don't demand them and can't pay for them.

Low-cost, standalone chemical dosing safety limiters — hardware devices that sit between SCADA controllers and chemical feed pumps, enforcing hard physical limits (e.g., chlorine never above 4 ppm, pH never below 6.5 or above 8.5) regardless of SCADA commands. These would function as cyber-physical circuit breakers, analogous to mechanical pressure relief valves in steam systems. Simplified cybersecurity tools designed specifically for small water utilities — not repurposed enterprise IT security products. Federal or state funding mechanisms that bundle cybersecurity improvements with other water infrastructure investments (pipe replacement, treatment upgrades).

A team could prototype a standalone chemical dosing safety limiter using an industrial PLC or Arduino-class controller that monitors the SCADA-to-pump communication and blocks commands outside preset safe ranges, independent of the SCADA system's software state. A cybersecurity team could conduct a tabletop assessment of a small water utility's attack surface (with utility cooperation), map the path from internet-facing entry points to chemical dosing controls, and propose minimum-cost mitigations. Relevant disciplines: control systems engineering, cybersecurity, environmental engineering, embedded systems.