A lot of things are connected to the internet. It makes remote troubleshooting and maintenance possible. It also represents a security hole that can be patched and monitored, but never completely closed.
An unknown hacker entered the computer system that controls the water treatment plant in Oldsmar, Florida and raised the sodium hydroxide (lye) level from 100 ppm to 11,100 ppm. An operator on duty noticed the change and restored the correct setting. The FBI and the Secret Service are investigating. The system no longer has remote accessibility.
There are three priorities in computer systems and servers. They can conflict.
1. Accessibility: The people that need access to the information and programs to perform their jobs need to be able to connect, access, and run programs with a minimum of difficulty. This is usually where admins are focused because when the analyst or the doctor can't get to what they want RIGHTNOWDAMMIT, the I.T. tech's boss get a call from his boss and things always roll downhill.
2. Redundancy: How is the data backed up? Where is the data backed up? How frequently is the data backed up? In the event of a failure, how do you restore the data? Have you real world tested it by doing a restore? Is there a second copy stored off site in real time?
3. Security: How hard is it to get into the system? How are users managed? How is access managed? What sort of firewalls are in place? What sort of intrusion detection? What sort of change tracking system? Is it automated? How often is there a full security review? (There's more questions, but if you can answer these, you're doing pretty good.)
It would not surprise me to find out that the person who did this either works for the city or is close to someone who is. The weak link in system security is the users.