The nation’s top cybersecurity officials issue a warning, saying malicious hackers are targeting government water and wastewater treatment systems.
The cyber breach at a plant in Oldsmar, Florida, which could have resulted in a mass poisoning, was a reminder of a disturbing reality: Despite a decade of warnings, thousands of water systems around the country are still at risk.
Back on February 16th in Oldsmar, Florida; the city’s mayor declared victory. Cybersecurity experts were not impressed with the mayor’s declaration.
“This is a success story,” Mayor Eric Seidel told the City Council in Oldsmar, a Tampa suburb of 15,000, after acknowledging “some deficiencies.” As he put it, “our protocols, monitoring protocols, worked. Our staff executed them to perfection. And as the city manager said, there were other backups. … We were breached, there’s no question. And we’ll make sure that doesn’t happen again. But it’s a success story.” Two council members congratulated the mayor, noting his turn at the press conference where the hack was disclosed. “Even on TV, you were fantastic,” said one.
“Success” is not the word that cybersecurity experts use to describe the Oldsmar episode. They view the breach as a case study in digital ineptitude, a frightening near-miss and an example of how the managers of water systems continue to downplay or ignore years of increasingly dire warnings.
The experts say the lack of an internet firewall and the use of shared passwords and outdated software — are common among America’s 151,000 public water systems.
“Frankly, they got very lucky,” said retired Adm. Mark Montgomery, executive director of the federal Cyberspace Solarium Commission, which Congress established in 2018 to upgrade the nation’s defenses against major cyberattacks. Montgomery likened the Oldsmar outcome to a pilot landing a plane after an engine caught fire during a flight. “They shouldn’t celebrate,” he said. “They didn’t win a game. They averted a disaster through a lot of good fortune.”
The motive and identity of the hackers, foreign or domestic, remain unknown. But Montgomery and other experts say a more sophisticated hacker than the one in Oldsmar, who attempted to boost the quantity of lye in the drinking water to dangerous levels, could have wreaked havoc. They’re skeptical of the city’s assurances that “redundant” electronic monitors at the plant protected citizens from any possible harm. “If the attackers could break into the lye controls,” Montgomery said, “Don’t you think they could break into the alarm system and alter the checkpoints? It’s a mistake to think a hacker could not introduce contaminated water into our water systems.”
The consequences of a major water system breach could be calamitous: thousands sickened from poisoned drinking water; panic over interrupted supplies; widespread flooding; burst pipes and streams of overflowing sewage.
With so many problems on the rise with Covid-19, unstable relations with China, and so many more; our water systems would be an easy target to cause mass confusion.
Despite the warnings, and some high-profile breaches dating back a decade, the federal government has largely left cyber-defense to the water utilities. For years, it relied on voluntary industry measures, dismissing any need for new regulation.
The 2018 legislation provided $30 million for grants to help water districts deal with “risk and resilience” problems, including cyberattacks. But Congress never appropriated that money.
Why is the government not taking this seriously? Where did the money go?
An EPA official, speaking on the condition of anonymity, agreed that the agency had only “a small team” devoted to water cybersecurity but said Oldsmar “and other recent incidents have highlighted the importance of the priority and the investments we need to make.”
The origins of the problem are clear. The vast majority of the nation’s water systems are small and publicly owned, with limited resources and aging infrastructure. As they turned to digital systems and monitors to boost efficiency while saving money and staff, they failed to install the safeguards and carry out employee training needed to secure the resulting vulnerabilities.
Arthur House, who served as Connecticut’s chief cybersecurity risk officer, said: “I hope it doesn’t take the poisoning of a lot of people or a catastrophic shutdown for people to say, ‘Oh my gosh, this is serious.’ The federal government has to have a role on this. You cannot leave something that would cripple us as a country solely in the hands of 50 different states.”
