By Marcus Hensel, VRSA Deputy Director
What’s more interesting than just hearing about the Florida water system hack? Understanding the minimal level of effort needed to gain entry.
In early February, two days prior to the Super Bowl, a water treatment plant in Oldsmar, Florida, was remotely accessed by unauthorized actors. These actors changed the levels of sodium hydroxide, or lye, in the drinking water, not once – but twice.
If you are like me, you may be thinking back to balancing chemistry equations or the show Breaking Bad. Sodium hydroxide is a base compound used to manufacture many everyday products such as cleaners and detergents. For the water treatment process, sodium hydroxide controls water acidity and assists in the removal of heavy metals from water.
In short, these incidents amount to poisoning a water supply system.
Understandably, this is front page news. Sadly, there is no way to tell the frequency of these incidents occurring. In this case, the local sheriff held a news conference to bring attention to the incident; otherwise, the public may have never known.
Let’s start with the good news.
An operator witnessed the unauthorized actor taking control of the system and changing the levels of sodium hydroxide. The issue was corrected before any manipulation or reset was required; therefore, the city’s water supply was not affected. If the operator was not present to witness the change, the water treatment plant also had other monitoring measures in place that should have raised alarms as to the levels of chemicals present.
Here is the bad news.
The facility, like many of its kind, uses a Supervisory Control and Data Acquisition System (SCADA), to allow staff to remotely monitor and control systems. This method falls under normal procedures for many municipal utilities. Again, this is normal operating procedure when the proper controls are in place.
In this case, however, the facility used weak strategies, procedures, and mechanisms for security – which allowed bad actors to exploit the system and gain unauthorized access.
One of the biggest concerns is the facility’s operating system. The facility is still using Windows 7. In fact, Microsoft ended support for Windows 7 in January 2020. This means there are no security updates or patches to protect against emerging threats. Other widely accepted password and network security protocols were not followed – as it appears all staff shared the same username and password for the remote-access program. Also, there was no firewall to safeguard the facility’s network.
Cyber threats are becoming increasingly common, particularly in the public sector space. Unfortunately, public bodies are targets as they are viewed as having older, more vulnerable computer systems.
There are calls for action and investment in cyber mitigation strategies, as public bodies are not powerless against these attacks. One example is Congress passing the Water Infrastructure Act of 2018. The Act gives utilities serving fewer than 50,000 residents until the end of June 2021 to complete a cybersecurity risk and resiliency assessment; however, there is no commitment for funds to remediate any findings from the assessment. Since the term “cyber” is included only twice in the 129-page document, municipal utilities must be proactive in their approach to securing their facilities.
In the Florida water system hack, bad actors accessed the system by exploiting poor cyber hygiene, including poor password and network security and an outdated operating system. VRSA provides broad cyber coverage and extensive resources to its members in order to avoid such risks. One such resource is a cyber security risk management guide and support through YourCISO. This resource provides organizations with quality information, security resources and consulting services including awareness training, security program sample documentation and security health check to benchmark your organization’s cyber risk.
Additionally, cyber security courses may be completed on VRSA’s Online University platform which is a source of free, unlimited courses for members. These courses are designed to help promote awareness throughout your organization. The cyber threats might change, but ongoing trainings and best practices will help protect your organization.
VRSA is here to protect our members and their employees so they may effectively serve their communities. If interested in learning ways to help evaluate and mitigate your cyber risk, please contact your member service representative.