The hack reveals the vulnerability of scarce U.S. aquatic plants

STREET. PETERSBURG, Fla. (AP) – A hacker’s scandalous attempt to poison the water supply of a small Florida town alerts you to how vulnerable the nation’s water systems can be to attacks by more sophisticated intruders. Treatment plants typically lack cash and do not have the cyber security depth of the power grid and nuclear power plants.

The shocking Monday announcement by the local sheriff that the water supply to Oldsmar, with a population of 15,000, was briefly jeopardized last week showed uncharacteristic transparency. Suspicious events are rarely reported and are usually reported with mechanical or procedural errors, experts say. There is no federal reporting obligation, state and local rules are very different.

“In the industry, we all expected that to happen. We have known for a long time that municipal water utilities are extremely underfunded and underfunded, and this makes them a soft target for cyber attacks. ”Said Lesley Carhart, Chagos’s chief emergency officer specializing in industrial control systems.

“I deal with a lot of municipal water utilities for small, medium and large cities. And in many cases, each has a very small IT staff. Some of them have no dedicated security staff at all, ”he said.

The country’s 151,000 public water supply systems do not have the financial reinforcement of the owners of nuclear power plants and electric utilities. Heterogeneous patchwork, less uniform in technology and security measures than in other rich countries.

As computer networks of critical infrastructure become more easily accessible via the Internet – and remote access proliferates dizzyingly during the COVID-19 epidemic – security measures are often sacrificed.

“It’s a difficult problem, but we need to start tackling it,” said Joe Slowik, senior security researcher at DomainTools. According to him, the hacking illustrates “the systemic weakness of this sector”.

Cyber ​​security experts said the attack at a plant 15 miles northwest of Tampa looked ham-handed, so blatant: Whoever violated Oldsmar’s plant on Friday briefly increased the amount of alkali – sodium hydroxide – by a factor of 100, using a remote access program shared by plant workers, Bob According to Gualtieri Pinellas County Sheriff. Mucus is used to reduce acidity, but in high concentrations it is highly corrosive and can burn. Found in drain cleaners.

The timing and visibility of the intruder seemed almost comical to cybersecurity experts. A supervisor watching a plant console at 1:30 pm saw the cursor cross the screen and change settings, Gualtieri said, and was able to change it immediately. The intruder was on and off in five minutes.

The public was never in danger, though the intruder “raised sodium hydroxide to dangerous levels,” the sheriff said. In addition, the plant fuses would have detected the chemical changes in the 24-36 hours that would have been needed to affect the water supply, he said.

Gualtieri said Tuesday that water gets into the water tanks before they reach customers and is “caught with a secondary chemical check”. He didn’t know if the hacker was domestic or foreign – and he said no one was suspected of being a factory employee. He said the FBI and the Secret Service helped with the investigation. He said it is still unclear how the hacker got into it, although it is possible that the hacker was able to create administrator credentials.

Jake Williams, CEO of cybersecurity firm Rendition Infosec, said the engineers had put in place protection measures “since computer remote control was mentioned earlier” so it is highly unlikely that the breach could have led to a “stepping stone to failure” in Oldsmar water.

Attempts to hack water treatment plants have increased over the past year, cyber security company FireEye said, but most were done by newcomers, many stumbling into the systems while using a sort of search engine for industrial control systems called Shodan..

The serious threat is posed by nation-state hackers like Russian agents who have been blamed for months of the SolarWinds campaign, which has hit U.S. agencies and the private sector for at least eight months and was discovered in December. While U.S. officials have called SolarWinds a serious threat, it is also called cyber espionage, not harm.

Laying down boobytaps that can be triggered in armed conflict is another matter. Russian hackers are known to have infiltrated U.S. industrial control systems, including the power grid, and Iranian agents are blamed for violating the New York suburban dam But there is no indication that any “logical bombs” were activated, as Russia did in Ukraine when military hackers laid down part of the electricity grid for a short time in the winter of 2015 and 2016.

2020 paper the Journal of Environmental Engineering found that water providers were hacked by a variety of actors, including just poke amateurs, dissatisfied former employees, for-profit cybercriminals, and state-sponsored hackers. Although relatively few such incidents have occurred, this does not mean that the risk is low and that most water systems are safe. The so-called “air gaps” between networks connected to the Internet and systems that directly manage pumps and other operating components are becoming less common.

“The reality is that many cybersecurity incidents either go unnoticed and consequently are not reported or made public because it can jeopardize the reputation of victims, customer confidence and, consequently, revenue,” the paper says.

After Friday’s incident, Oldsmar officials blocked the remote access system and warned other mayors in the region – who hosted the Super Bowl – to check their systems.

In May, Israel’s cyber chief s the country prevented a major cyber attack on its water systems last month, an attack widely attributed to Iran. If Israel had not detected the attack in real time, it said chlorine or other chemicals could have entered the water, which could have led to a “catastrophic” result.

The Biden administration has already signaled its intention to strengthen cybersecurity, a sector that has been thoroughly accused by its predecessor of not taking it seriously enough.

So far this year, the Department of Homeland Security has issued 25 councils listing the various industrial management systems that may be vulnerable to hacking. Affected products range from 3D rendering software to security cameras to insulin pumps.

Chris Sistrunk, technical manager at FireEye’s Mandiant division, said cybersecurity issues are relatively new to U.S. water providers, whose biggest problem is freezing and destroying pipes in the winter or clogging disposable wipes. The Oldsmar hack emphasizes the need for further training and basic security protocols, but not as drastic measures as embracing the new regulations.

– We have to do something, we can’t do anything. But we can’t overreact, he said.


Bajak reported from Boston and Suderman from Richmond, Virginia. Matt O’Brien, AP Technology Writer from Providence, Rhode Island.