Written by Sean Lyngaas
A hack that apparently affected a Florida water facility’s chemical setting is emblematic of a water sector that’s short on money, cybersecurity personnel and often reliant on the practices of vendors, experts say.
The Feb. 5 incident in Oldsmar, a Florida town of 15,000 people, involved a still-unidentified hacker infiltrating the local water treatment facility’s computer system and trying to increase the amount of sodium hydroxide to a potentially dangerous level, local authorities said. The substance is used in the water purification process but can be toxic at higher levels. No harm was done to public health — the facility had safety checks in place — but the level of access obtained by the attacker has prompted calls for tighter security in the sector.
The breach is an uncomfortable reminder that water facilities struggle to invest as much money in effective security as other industrial organizations, even as they face “an increase in the frequency, diversity, and complexity of cyberthreats,” as a 2020 study of 15 cybersecurity incidents in the water sector found.
Hacking incidents in the sector often fly under the radar, but are marked by some of the same security threats facing other critical infrastructure industries. A North Carolina water utility in 2018, for example, was forced to rebuild its computing infrastructure after a ransomware attack.
Water providers often have much slimmer profit margins than oil and gas companies, and therefore much less money to invest in cyber-defenses. A 2020 survey found that just 19% of water utilities said they were confident that their rates and fees could cover the cost of existing services, never mind pursing infrastructure upgrades.
While there are some notable exceptions, many water utilities in the U.S. are small and saddled with aging infrastructure. They may “only have one or two, maybe three, IT folks who manage the network,” said Chris Sistrunk, a technical manager at Mandiant, the incident response arm of security firm FireEye.
Cybersecurity awareness at smaller water facilities is growing, but it is still “not the major thing that’s on their plate,” said Sistrunk, who has had clients in the water sector. Many municipal water utilities are government-owned, and could benefit from government resources for cybersecurity training and education, he added.
The Oldsmar incident also highlights the need for water facilities to closely monitor network connections set up through software vendors, experts say. Industrial plant operators use such programs to monitor plant performance, but they are a potential pathway for hackers if left unattended.
In Oldsmar, the attacker broke into the facility’s computer system through a remote software program known as TeamViewer, according to Pinellas County Sheriff Bob Gualtieri. Facility operators stopped using TeamViewer six months ago and weren’t aware the program was on their computers, Gualtieri told the Wall Street Journal. A plant operator discovered something was amiss when their computer mouse began moving across the screen.
Experts now are urging water facilities to take a closer look at their relationships with vendors, and restrict remote access when possible. The Water Information Sharing and Analysis Center, a clearing house for cyberthreats in the sector, has publicized security guidance for securing such remote connections in the aftermath of the Oldsmar hack.
Gus Serino, a former cybersecurity staffer at the Massachusetts Water Resources Authority, a public utility that supports the Boston area, said the smaller municipal utilities will often rely on the town’s IT staff to protect their networks.
“They usually don’t even have control systems staff, let alone cybersecurity of the control system,” said Serino, now a principal ICS security analyst at security firm Dragos. “They’re relying on third parties like systems integrators and engineers to design and build those systems and support them.”
Given the sector’s lack of resources, Serino said, “we need to be educating the engineering companies and the integrators” to ensure they design their products more securely.
It is unclear if the Oldsmar incident will spur regulatory or policy scrutiny from Washington. A 2018 U.S. law requires water utilities serving more than 3,300 people to have emergency response plans that account for cyber incidents. Regardless, the sector is far less regulated compared to electricity, which has more stringent cybersecurity standards.
But some analysts say increased regulation, without providing water utilities more resources, will only exacerbate the problem.
“There was a small number of staff at the Oldmar water plant. Putting more requirements on paper wouldn’t have and isn’t going to help them,” said Bryson Bort, founder of cybersecurity companies SCYTHE and GRIMM. “We need to provide real resource support to help the few that are taking care of the many.”