A Florida city whose water system was hacked last week said Friday that it completed a federally required safety risk assessment three months ago, but had not yet integrated the findings into its emergency plans.
The hacking incident, which came after a security review, highlighted a vulnerability of the more than 50,000 community water systems that supply the majority of Americans with drinking water: they do not have to meet any national cybersecurity standards. .
That is in contrast to utilities, which have had to adhere to increasingly stringent rules since 2008 for the physical and cyber security of key assets and, more recently, for parts of their supply chains. The rules for the electrical industry are reinforced with monetary penalties for infractions.
On February 5, an engineer at a water treatment plant in Oldsmar, Florida, in Pinellas County, detected that a hacker had accessed the facility’s control system and attempted to increase the amount of bleach used to treat the water at a potentially dangerous level. . The control engineer witnessed the tampering, when a ghostly hand moved a cursor over his screen, immediately reversing it, authorities said. But the episode highlighted that few protections are required to defend America’s water supply.
The incident comes as officials warn of the growing sophistication and brazenness of attacks on critical infrastructure. Many attacks are never publicly disclosed, but The Wall Street Journal identified targets in a Russian campaign in 2017 to pierce the defenses of electric services, first by penetrating trusted providers, and another effort in 2019 by unidentified hackers who targeted electrical services in at least 18 states. .
More recently, the government has said that the SolarWinds hack, revealed in December, compromised more than half a dozen federal agencies, including departments of State, Commerce, and Treasury, and critical infrastructure organizations, whose names, so far, have not have been revealed.
The federal government took a small step to address the problem of insufficient cyber defenses in the water industry in 2018 with the passage of the United States Water Infrastructure Act. Water providers serving about 80% of the US population are required by law to conduct safety risk reviews and integrate the findings into their emergency plans.
The largest water providers had to complete that work last year, and all but 10 of the 542 organizations complied, according to the Environmental Protection Agency. But nearly 9,000 smaller suppliers, including Oldsmar’s water department, have until the end of this year to complete their reviews and implement the findings.
The smallest providers, the 40,000 organizations with fewer than 3,300 customers each, are exempt.
Although water systems must certify the completion of their work to the EPA, they are not required to share copies of their work product with the agency. As a result, the EPA does not actually evaluate the quality of its action. Because the agency does not possess the documents, they are effectively outside the scope of federal public records law.
“
“We are a long way from where we need to be, considering the barrage of attacks.”
“
Industry insiders said the 2018 law was a good start, but it cannot be the end point.
“We’re a long way from where we need to be, considering the spate of attacks,” said Kelvin Coleman, a former Department of Homeland Security official who now heads the National Cyber Security Alliance, an educational organization.
The incident that occurred on February 5 was instigated by an unauthorized person who gained remote access to the control system of the Oldsmar freshwater treatment plant, which serves some 15,000 people.
Later, the service engineer told investigators that he didn’t think much about it until the cyber intruder changed the settings for sodium hydroxide, better known as bleach, increasing the additive to an unsafe 11,100 parts per million from a safe level of 100. parts per million. . The plant operator quickly reduced the setting of the corrosive chemical, commonly used in drain cleaners, and notified his supervisor, according to city officials.
Pinellas County Sheriff Bob Gualtieri, who provides police protection for Oldsmar, said in an interview earlier this week that the water department installed a tool called TeamViewer so employees could work remotely. That gave the intruder a door to enter.
The sheriff added that the hacker “had full access to the water treatment system. They could do everything the operator could do sitting in the control room. “
The Oldsmar freshwater plant serves about 15,000 people.
Photo:
Chris Urso / Zuma Press
Federal officials advised water companies this week to carefully examine remote access tools, which have been especially popular during the pandemic. Industry insiders said many improvements can be made with little to no expense, such as enforcing password protection and using encryption and firewalls, but that small utilities struggle with things as simple as cyber training.
The Federal Bureau of Investigation, which is investigating the intrusion, said it has investigated other incidents in which desktop-sharing software was used as an attack vector against critical infrastructure providers.
Cybersecurity experts said preliminary information about Oldsmar’s water department, such as employees sharing a single password in TeamViewer, suggested broader security concerns.
The Water Information Exchange and Analysis Center, a non-profit clearinghouse for threat intelligence targeting water providers, said the incident appeared to be “more opportunistic than sophisticated,” in part because the intruder did not attempt to hide the fact that he was playing with the chemical. delivery system.
Christopher Krebs, former director of the Cybersecurity and Infrastructure Security Agency, said in testimony before Congress on Wednesday that the intruder may have been a disgruntled employee or a foreign actor. “That is why we do investigations,” he said, adding that the municipal public services defenses “were not where anyone, no operational security professional would like that security position to be.”
Unfortunately, he added, “Oldsmar is probably the rule rather than the exception.”
He urged Congress to consider offering the industry more financial assistance for cyber updates.
An EPA official said the agency estimates that $ 750 billion is needed to replace pipes, upgrade water treatment facilities and improve cyber readiness in water utilities – a huge boost.
Kevin Morley, federal relations manager for the American Waterworks Association, an industry group, said $ 10 million was authorized in 2018 to help small utilities pay for safety upgrades, but Congress never appropriated of money. There are other federal programs that offer low-interest loans and grants.
—Dustin Volz contributed to this article.
Copyright © 2020 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8