Florida Water Facility Breach Highlights Cyber Infrastructure Vulnerabilities
Last week, a hacker was able to breach the computer system of the water treatment facility in Oldsmar, Florida. The attack was detected before it affected the population. Initial reports indicate the hacker or hackers attempted to add dangerous levels of sodium hydroxide to the water supply using the plant’s remote access software. Cyber experts have warned that the attack highlights cyber infrastructure vulnerabilities.
The hackers used the computer system managing the local water supply to increase sodium hydroxide levels in the water from 100 parts per million to 11,100 parts per million, which could have dangerous effects. A plant operator reversed the change within minutes. It would have taken 24-36 hours for the infected water to reach the water supply.
Sheriff Bob Gualtieri of Pinellas County, Florida said of the attempted hack, “This is somebody that is trying, at least it appears on the surface, to do something bad … It’s a bad actor. At no time was there a significant adverse effect on the water being treated. Importantly, the public was not in danger.”
Kiersten Todt, who served as a cybersecurity adviser to President Obama, told Nextgov, “The federal government should be involved with this at every step of the way… I think it very much is a wake-up call to look at how our government is organized and specifically CISA with its responsibility, to say, how are we working with these 50,000 water utilities.”
One federal law that applies to the cybersecurity of water treatment facilities is America’s Water Infrastructure Act (AWIA) of 2018, which requires community water systems serving more than 3,300 people “to develop or update risk assessments and emergency response plans.” The Environmental Protection Agency (EPA) oversees these efforts.
The hacker broke into the Oldsmar Water Treatment Facility’s computer system twice on February 5, 2021. Oldsmar City Manager Al Braithwaite said, “We’ve obviously disabled the program that enabled it to happen. And we are going to make some upgrades to other parts of the system to try to ensure that it doesn’t happen again.”
Sheriff Gualtieri noted that local authorities are working with the FBI and the U.S. Secret Service to identify suspects. At this time, there are so no suspects but several leads. Gualtieri noted that the hacker could be foreign or domestic. It is unclear why the Oldsmar facility was targeted.
In May of last year, Israel thwarted a cyberattack on control systems at Israeli water facilities.
At a White House press briefing on Tuesday, Press Secretary Jen Psaki referred questions to the investigating agencies, but said the Biden administration is “focused on elevating cybersecurity as a threat.”