Page 2 of 2
The exact number of attacks on water utilities remains unknown. Many go undetected or unreported, and no federal law requires disclosure, even to regulators or law enforcement. Michael Arceneaux, managing director of the Water Information Sharing and Analysis Center, an industry group promoting cybersecurity, said water systems often refuse to reveal breaches, even to his group, out of fear that they will somehow reveal their vulnerabilities to other hackers. "It's not something members wanted potentially floating around in some database."
The episodes that have been made public reveal a growing array of threats, from random vandalism and disgruntled employees to identity theft and ransomware.
In Oldsmar, for example, the FBI and the Pinellas County Sheriff's Office, which are jointly investigating, have already revealed multiple lapses. The attack took place at the city's water treatment plant, which purifies groundwater for drinking using filters and chemicals, including small amounts of sodium hydroxide. Commonly known as lye, it is used to reduce the water's acidity. (In considerably stronger concentrations, sodium hydroxide is also a chief ingredient in drain cleaner.)
The hack began around 8 a.m. on Feb. 5, when a plant operator noticed someone had remotely accessed the computer system that monitors and controls the chemical levels added to the water. The hackers entered through a remote access software program called TeamViewer. The city had actually replaced TeamViewer six months earlier, but it never disconnected the program, according to county Sheriff Bob Gualtieri. Logging into the system remotely was a breeze: The water plant's computers all used a single shared password, required no two-factor verification and had no firewall in place protecting the controls from the internet, according to FBI findings described in a Massachusetts state advisory. A final vulnerability: All the computers were still running on Windows 7, a decade-old, discontinued operating system; Microsoft had stopped issuing regular software updates to plug its security vulnerabilities in January 2020.
After noticing the hacker's morning log-in, Gualtieri later said at the press conference, the plant operator "didn't think much of it" and didn't contact anyone since other city employees routinely accessed the system remotely. (It's not clear why the attacker's use of the replaced TeamViewer software didn't immediately raise concern.)
The hacker reappeared about 1:30 p.m., this time visibly taking over the computer, mousing around for three to five minutes and opening the plant's control system software. After ratcheting up the water's sodium hydroxide level from 100 parts per million to 1,100 parts per million, the intruder departed.
After watching all this, the Oldsmar plant operator quickly lowered the sodium hydroxide level and called his boss. The city contacted the county sheriff's office nearly three hours later, at 4:17 p.m., according to an incident report on the event.
Oldsmar officials maintained that the public was never in danger. They noted that it would have taken at least 24 hours for poisoned water to start flowing out of kitchen taps, and that even if the onsite operator hadn't intervened, the plant had backup systems monitoring the water's chemical balance that would have sounded alarms long before then.
A small number of other incidents present the nightmarish "what-if" scenarios that scare experts, particularly from so-called state actors. Both Russia and Iran have been implicated in such accounts, according to government reports and legal actions. One such episode occurred in 2013, when a state-backed hacker sitting at his keyboard in Iran breached the computer controls at the Bowman Dam in suburban Rye, New York, with a presumed plan to open the sluice gates. The gates happened to have been manually disconnected at the time for maintenance, and the dam was actually just a narrow, 20-foot-high structure holding back a babbling brook. Federal intelligence officials speculated that the Iranians had actually intended to seize controls at the massive Arthur R. Bowman Dam in Oregon, where similar actions would have flooded thousands of homes. A federal indictment later charged that the Bowman Dam hacker worked for Iran's Revolutionary Guard and was part of a seven-man team that successfully breached America's biggest banks, paralyzing their computer servers and blocking customers from accessing their accounts online. The hacker remains at large, and on the FBI's "most wanted" list. In 2019, Revolutionary Guard hackers struck again, deploying malware to launch an ultimately unsuccessful attack on a municipal water system in Israel.
In recent years, three U.S. states — New York, New Jersey and Connecticut — decided to go beyond the federal rules and adopted tougher cybersecurity measures for the water utilities within their borders. After passing new legislation, New Jersey required all public water systems with internet-connected controls to develop a cybersecurity risk-mitigation plan within 120 days, submit it to the state, create a process for reporting all cyberattacks and join a special state-government clearinghouse promoting strong cybersecurity practices. Connecticut launched a "Cybersecurity Action Plan" and began holding private annual meetings with each of the state's largest water (and other) utilities to scrutinize the adequacy of their cyberdefenses.
For its part, New York amended its public health law to require water systems to conduct assessments of their susceptibility to cyberattacks and submit them to the state within a year. A team at the state comptroller's office has also conducted seven cybersecurity audits of municipal water systems, in each case posting the audit publicly while reserving some findings for confidential briefings to avoid offering hackers a road map of vulnerabilities. Its audit of the city of Syracuse's water system, for example, found shared user passwords and accounts that hadn't been disabled long after employees left the city. The Binghamton audit discovered a video on the water department's own webpage showcasing the treatment plant's controls.
"There's a tremendous amount of work that needs to be done to shore up the systems," said assistant New York state comptroller Randy Partridge, who oversees the water system audits. Since January 2019, he said, his auditors have issued 239 findings at various municipal facilities (including water systems) regarding weak password security alone. "It's a health and safety risk for any resident that lives in our local government. No community can really survive for any length of time without access to potable water."
Arthur House, who served as Connecticut's chief cybersecurity risk officer, said: "I hope it doesn't take the poisoning of a lot of people or a catastrophic shutdown for people to say, 'Omigosh, this is serious.' The federal government has to have a role on this. You cannot leave something that would cripple us as a country solely in the hands of 50 different states."
Doris Burke contributed reporting.