Regan and the senators discussed the need for investment in water infrastructure in the context of quality, climate change, economic development, and smarter systems - but not about the security of these systems. Senators did not ask EPA administrator nominee Michael Regan any questions about - nor did he offered his assessment of - the cybersecurity of the water industry, during his three hour confirmation hearing in early February. The EPA’s cybersecurity budget, however, is a fraction of that of the Department of Energy, the SSA for the closest comparable lifeline sector. The Cyberspace Solarium Commission concluded in March 2020 that “water utilities remain largely ill-prepared to defend their networks from cyber-enabled disruption.” In fact, the former chief technology officer for the state of New Jersey called water and wastewater “probably the least mature sector from a cybersecurity standpoint.”Īs the sector-specific agency (SSA) and risk manager for the water and wastewater industry, the Environmental Protection Agency (EPA) is responsible for identifying and assessing cyber risks to the industry. The situation has not improved over the past five years. Many of these facilities “lack the required technical and financial capabilities to address all emerging risks, such as cyber risks,” according to a 2016 National Infrastructure Advisory Council Report. The United States has more than 148,000 public water systems and more than 70,000 water and wastewater utilities. In 2015, the water industry reported the third-most cyber incidents behind critical manufacturing and energy. In 2019, a ransomware attack hit a small water utility in Colorado. In fact, however, a year earlier, a South Carolina water utility suffered an attack that disabled its online payment systems. When asked if similar attacks had occurred “at other agencies around the country,” Braitwaite said he was unsure. 5, city manager Al Braithwaite could only confirm that investigators are looking at past logs to try to determine. intrusion is the first known breach, but when asked by reporters if the hacker had access to the system before Feb. Had the operator utilized best practice training for cyber hygiene, which would have taught him that he should talk to his supervisor to confirm the observation of an apparently routine remote access, he could have alerted security personnel five hours earlier during the first observed intrusion.Īt this point, that 8 a.m.
Breached water plant used same teamviewer software#
He did not find it suspicious that the person used TeamViewer even though the utility had switched to a different software six months prior. The operator observed another person accessing his computer early in the morning but did not report an intrusion, because he assumed the person was his supervisor. What these officials did not mention is whether these alarms are hard-wired or whether a hacker could have remotely accessed and altered or disabled them.ĭespite the city’s success at preventing the worst from happening, this is also a story of cyber failures. A stealthier hacker would not have been so sloppy.Īt a press conference, Sheriff Bob Gualtieri and other local officials were quick to reassure the public that the operator immediately detected and reversed the hacker’s actions before additional chemicals were added and that alarms in the system would have sounded before tainted water reached the public. That operator’s observations and subsequent actions prevented disaster. local time) when an operator was sitting at the monitor. Ravich, our colleague at the Foundation for Defense of Democracies, observed last June, remote access applications and other types of programs and technology may “reduce costs, enhance efficiencies, and improve quality,” but because water utilities are “not implementing security systems and processes” in parallel, these programs also introduce vulnerabilities.įortunately, the Florida hacker accessed the system during normal business hours (the hack occurred at 8 a.m.
Industrial control systems cyber experts speculate that the hacker used stolen credentials.Īs Samantha F. The hacker breached the network through TeamViewer software, a commonly used program for remote system maintenance. At high levels, it would have poisoned the city’s drinking water. Sodium hydroxide is lye and the main ingredient in drain cleaner. Upon gaining access to the system, the hacker increased the amount of sodium hydroxide in the water to dangerous levels. This breach is a reminder that the country’s water infrastructure is poorly secured in cyberspace - and that vulnerabilities in this critical system pose real world consequences.
An unknown hacker remotely accessed the chemical controls of a water treatment plant in the City of Oldsmar, near Tampa, Fla., earlier this month.
0 kommentar(er)
