Security hole at water plants
Cyberattack in Florida city exposes flaw underfunded facilities face across nation
ST. PETERSBURG — A hacker’s botched attempt to poison the water supply of a small Florida city is raising alarms about just how vulnerable the nation’s water systems may be to attacks by more sophisticated intruders. Treatment plants are typically cash-strapped, and lack the cybersecurity depth of the power grid and nuclear plants.
A local sheriff’s announcement this week that the water supply of Oldsmar, population 15,000, was briefly in jeopardy last week exhibited uncharacteristic transparency. Suspicious incidents are rarely reported, and usually chalked up to mechanical or procedural errors, experts say. No federal reporting requirement exists, and state and local rules vary widely.
“In the industry, we were all expecting this to happen. We have known for a long time that municipal water utilities are extremely underfunded and underresourced, and that makes them a soft target for cyberattacks,” said Lesley Carhart, principal incident responder at Dragos Security, which specializes in industrial control systems.
“I deal with a lot of municipal water utilities for small, medium and large-sized cities. And in a lot of cases, all of them have a very small IT staff. Some of them have no dedicated security staff at all,” she said.
The nation’s 151,000 public water systems lack the financial fortification of the corporate owners of nuclear power plants and electrical utilities. They are a heterogenous patchwork, less uniform in technology and security measures than in other rich countries.
As the computer networks of vital infrastructure become easier to reach via the internet — and with remote access multiplying dizzily during the COVID-19 pandemic — security measures often get sacrificed.
“It’s a hard problem, but one that we need to start addressing,” said Joe Slowik, senior security researcher at DomainTools. He said the hack illustrates “a systemic weakness in this sector.”
Cybersecurity experts said the attack at the plant 15 miles northwest of Tampa seemed ham-handed, it was so blatant: Whoever breached Oldsmar’s plant Friday using a remote access program shared by plant workers briefly increased the amount of lye — sodium hydroxide — by a factor of 100, according to Pinellas County Sheriff Bob Gualtieri.
Lye is used to lower acidity, but in high concentrations it is highly caustic and can burn. It’s found in drain cleaning products.
The intruder’s timing and visibility seemed almost comical to cybersecurity experts. A supervisor monitoring a plant console about 1:30 p.m. saw a cursor move across the screen and change settings, Gualtieri said, and was able to immediately reverse it. The intruder was in and out in five minutes.
The public was never in peril, though the intruder took “the sodium hydroxide up to dangerous levels,” the sheriff said. Also, plant safeguards would have detected the chemical alteration in the 24-36 hours it would have taken to affect the water supply, he said.
After Friday’s incident, Oldsmar officials disabled the remote access system and warned other city leaders in the region to check their systems.