An unknown hacker remotely accessed the chemical controls of a water treatment plant in the City of Oldsmar, near Tampa, Fla., earlier this month. This breach is a reminder that the country’s water infrastructure is poorly secured in cyberspace — and that vulnerabilities in this critical system pose real world consequences.
Upon gaining access to the system, the hacker increased the amount of sodium hydroxide in the water to dangerous levels. Sodium hydroxide is lye and the main ingredient in drain cleaner. At high levels, it would have poisoned the city’s drinking water. The hacker breached the network through TeamViewer software, a commonly used program for remote system maintenance. Industrial control systems cyber experts speculate that the hacker used stolen credentials.
As Samantha F. Ravich, our colleague at the Foundation for Defense of Democracies, observed last June, remote access applications and other types of programs and technology may “reduce costs, enhance efficiencies, and improve quality,” but because water utilities are “not implementing security systems and processes” in parallel, these programs also introduce vulnerabilities.
Fortunately, the Florida hacker accessed the system during normal business hours (the hack occurred at 8 a.m. and 1:30 p.m. local time) when an operator was sitting at the monitor. That operator’s observations and subsequent actions prevented disaster. A stealthier hacker would not have been so sloppy.
At a press conference, Sheriff Bob Gualtieri and other local officials were quick to reassure the public that the operator immediately detected and reversed the hacker’s actions before additional chemicals were added and that alarms in the system would have sounded before tainted water reached the public. What these officials did not mention is whether these alarms are hard-wired or whether a hacker could have remotely accessed and altered or disabled them.
Despite the city’s success at preventing the worst from happening, this is also a story of cyber failures.
The operator observed another person accessing his computer early in the morning but did not report an intrusion, because he assumed the person was his supervisor. He did not find it suspicious that the person used TeamViewer even though the utility had switched to a different software six months prior. Had the operator utilized best practice training for cyber hygiene, which would have taught him that he should talk to his supervisor to confirm the observation of an apparently routine remote access, he could have alerted security personnel five hours earlier during the first observed intrusion.
At this point, that 8 a.m. intrusion is the first known breach, but when asked by reporters if the hacker had access to the system before Feb. 5, city manager Al Braithwaite could only confirm that investigators are looking at past logs to try to determine.
When asked if similar attacks had occurred “at other agencies around the country,” Braitwaite said he was unsure. In fact, however, a year earlier, a South Carolina water utility suffered an attack that disabled its online payment systems. In 2019, a ransomware attack hit a small water utility in Colorado. In 2015, the water industry reported the third-most cyber incidents behind critical manufacturing and energy.
The United States has more than 148,000 public water systems and more than 70,000 water and wastewater utilities. Many of these facilities “lack the required technical and financial capabilities to address all emerging risks, such as cyber risks,” according to a 2016 National Infrastructure Advisory Council Report.
The situation has not improved over the past five years.
The Cyberspace Solarium Commission concluded in March 2020 that “water utilities remain largely ill-prepared to defend their networks from cyber-enabled disruption.” In fact, the former chief technology officer for the state of New Jersey called water and wastewater “probably the least mature sector [of 16] from a cybersecurity standpoint.”
As the sector-specific agency (SSA) and risk manager for the water and wastewater industry, the Environmental Protection Agency (EPA) is responsible for identifying and assessing cyber risks to the industry. The EPA’s cybersecurity budget, however, is a fraction of that of the Department of Energy, the SSA for the closest comparable lifeline sector.
Senators did not ask EPA administrator nominee Michael ReganMichael ReganEPA finalizes rule cutting use of potent greenhouse gas used in refrigeration Former EPA chief to chair pro-Trump think tank's environmental center Overnight Energy & Environment — Effort to repeal Arctic refuge drilling advances MORE any questions about — nor did he offered his assessment of — the cybersecurity of the water industry, during his three hour confirmation hearing in early February. Regan and the senators discussed the need for investment in water infrastructure in the context of quality, climate change, economic development, and smarter systems — but not about the security of these systems.
Municipal governments own more than 80 percent of U.S. water systems and more than 95 percent of waste water systems, but most of these local governments lack the resources to make the needed cybersecurity investments. The EPA, in partnership with the Department of Homeland Security, should explore creating a grant program that would specifically assist local governments protect this critical infrastructure.
The City of Oldsmar had the good fortune to mitigate an attack by an unsophisticated hacker. Next time, we may not be so lucky.
Retired Rear Admiral Mark Montgomery is a senior fellow at the Foundation for Defense of Democracies (@FDD), senior director of FDD’s Center on Cyber and Technology Innovation (CCTI), and senior advisor to the Cyberspace Solarium Commission. Annie Fixler is deputy director of CCTI. Follow the authors on Twitter @MarkCMontgomery and @AFixler. FDD is a Washington, D.C.-based, nonpartisan research institute focusing on national security and foreign policy.