Romania was the target of a cyberattack of unprecedented severity. It was not a marginal attack and it was not a trivial IT incident. It was an attack on the management of water resources, that is, on a critical infrastructure of vital importance.
A tragedy could have happened.
We have an extremely clear precedent: Florida, 2021. There, only human vigilance – the attention of an engineer – saved the population. The digital system had been compromised, and the concentration of sodium hydroxide in the drinking water had been increased more than 100 times by/with the help of the "digital" taken over by the attackers. If that engineer had not noticed the anomaly and had not manually disconnected the system, a sanitary catastrophe would have occurred. That case clearly demonstrated one thing: digitalization without human duplication and without physical separation is extremely dangerous.
In Romania, judging by the evolution of the attack – slow in the initial phase and violent in the final phase – it is very likely that the intrusion began around December 19. The attack acted discreetly, explored the network, then escalated rapidly, compromising almost 1,000 servers and logistics computers.
8 out of 9 water basin administrations – i.e. the regional structures that manage water resources at the river basin level – were affected. Practically, almost the entire digital support system of this strategic area was compromised.
It must be said very clearly: everything that is digital and has control power in this area – dosing of chlorine, sodium hydroxide, flocculants, clarifiers, control of valves and taps, water levels, pressures, temperatures – can end up in the hands of attackers if there is no strict physical separation between:
the administrative and logistics network (IT), and the operational execution network (OT / SCADA).
Emails, web servers, VPNs, or internet-exposed services have no place in the execution network.
This is a basic rule in critical infrastructure security. Paradoxically, where systems are old, where there is no sophisticated digital control and where operation is still "manual", these installations have been protected precisely by the lack of digitalization.
The rest of the system, however, requires:
- dedicated programs and software,
- clear security strategies,
- mandatory, offline backups, without access to the internet or the administrative network,
tested recovery procedures.
These are not formalistic ideas but textbook solutions. They are standard, known procedures, applied in states that treat water as a national security issue. Romania has extremely well-trained young people in cybersecurity, brilliant, but who are not integrated into decision-making and implementation. Instead, we unnecessarily expose the health of our population.
The situation must be viewed exactly as in a war scenario.
Water is a strategic resource. If compromised, the danger is immediate, massive, and collective. It is unacceptable that it takes 12–24 hours for authorities to realize that systems are compromised, for attackers to have time to archive, encrypt, and take control, and for the response to be delayed and improvised.
What happened on December 19–20 in Romania is about national security, not a simple IT incident.
The questions are direct and cannot be avoided:
1. Are there procedures for simulating cyber incidents?
Is there a centralized, secure control of execution systems?
2. Are there real industrial firewalls?
3. Is there physical separation between logistics and execution networks?
4. Are these measures audited periodically?
If the answer is “no,” then the problem is not past – it is future.
