Florida Water Hack Underscores Lack of Municipal Cyber Funding
The hack is another example of how damaging cyber attacks against small cities and infrastructure can be.
The news Monday that a hacker tried to poison thousands of Floridians via a water treatment plant has again highlighted the fragility of critical infrastructure but also the lack of basic cybersecurity funding that many small cities and towns continue to grapple with on a persistent basis.
At this point, the basics of the hack have been laid out: On Friday, a hacker managed to breach a water treatment facility in Oldsmar, a city of 15,000, just north of Tampa Bay, by raising the level of sodium hydroxide, or lye, in the city's water from 100 parts per million to 11,100 parts per million.
The FBI and Secret Service are now looking into the incident.
Pinellas County Sheriff Bob Gualtieri was transparent in disclosing the incident while speaking at a press conference on Monday. Gualtieri stressed that the city's residents were never in danger and that the intruder was only in the system for three to five minutes before a supervisor observed their actions and stopped them, returning the levels to what they were previously. Even if it had gone unnoticed, it still would have taken 24 to 36 hours for the poisoned water to hit the water supply system. After which, so-called automated PH testing safeguards still would have triggered an alarm and caught the change in sodium hydroxide levels. Without those in place, the incident could have led to vomiting, chest and abdominal pain, experts warned Monday.
The hacker accessed the system via TeamViewer, software that allows for remote access and file sharing. Gualtieri said at first an employee at the plant thought nothing of the hacker’s actions – moving a mouse across the screen to control levels; his supervisors and IT team regularly use TeamViewer to troubleshoot issues. What’s unclear is how the software, which has been leveraged countless times over the years to exploit systems and execute code, was compromised this time around.
According to a report in Motherboard, which discussed the incident with Oldsmar's assistant city manager, Felicia Donnelly, the instance of TeamViewer that the city’s water treatment facility was running did require a password to be controlled remotely. Wired, which spoke with Gualtieri directly, reported the plant uninstalled the software following the attack but that the sheriff couldn't comment directly on security measures the plant was taking. According to the Wall Street Journal, the plant hadn't even used TeamViewer lately - it switched to a different tool six months ago - but it was still in place, somehow still accessible to the intruder.
While the attack was no doubt malicious - it's clear that damage was the end goal here - there are still a lot of unknown: How TeamViewer was compromised, whether an insider or an outsider carried out the attack, whether it was initiated in the U.S. or abroad, and so on.
While the news has reignited the conversation around securing critical infrastructure this week, it's not a new problem. It was more than twenty years ago that one of the first cyberattacks on a water treatment plant was carried out. In 2000, a disgruntled former employee was jailed after hacking into the waste management system of Maroochy Shire, a district just north of Brisbane, in Queensland, Australia. His actions led to the compromise of 142 sewage pumping stations, resulting in one million liters of sewage being leaked into rivers and parks there.
While the security risks around exposed critical systems, switches, breakers, and supervisory control and data acquisition, or SCADA devices accessible via the internet have been well publicized at this point, the story remains the same: Many of these cities and small towns lack the needed funds to properly secure them.
Again, it's still unclear whether Oldsmar had the proper mitigations in place for an incident like this - there's still many details about the hack that are unknown - but if it didn't, it wouldn't be a huge surprise.
This is the case for a lot of aging infrastructure but especially facilities like dams, irrigation systems, and wastewater treatment plants. Utilities that manage water, electric and sewage treatment plants were some of the last to move off of Windows XP when Microsoft stopped providing support for it in 2014.
Securing the integrity of the facilities across the water ecosystem - pumps, basins, distribution centers, treatment centers, and water towers - remains a challenge for the sector as well.
Their plight has not gone unnoticed. The U.S. has close to 170,000 public water systems and attacks against them have increased over the years. A U.S. Department of Energy report (PDF) from a few years ago found that between 2014 and 2015, the reported number of cybersecurity incidents affecting the water sector increased by 78.6% (from 14 to 25).
That's not to say anything of the uphill battle many state-regulated entities face everyday. According to a 2018 study (PDF) conducted by Deloitte and the National Association of State Information Officers (NASCIO), roughly 50% of states don't have a committed cybersecurity line-item budget. According to the study, 30 state CISOs also said at the time they face a cyber competency gap, meaning they lack the knowledge, skills, and behaviors to tackle existing and future cybersecurity requirements.
These statistics are compounded by the fact that many of these systems are running old systems, meaning they have an exceptionally low barrier to entry. Scores of these setups can be found easily via Shodan, a searchable index of exposed databases and industrial control systems, which makes it easier for hackers, too.
While much of the talk around cyberattacks against public infrastructure revolves around how sophisticated attacks are, many of these facilities simply lack the resources to adequately combat them in the first place. It's the same battle that's being played out in the boardroom: Cyber spending is up - IDC projects worldwide security spending to reach $174.7 billion in 2024 - but this spending isn't always aligned to remediate the most significant risks.
We saw just how ripe municipalities are for cyber attacks two summers ago amid a deluge of ransomware attacks against small towns and local government. Attacks against towns in Florida, Texas, along with cities like Baltimore, and Atlanta cost local governments millions to recover from. Until these small governments and facilities get the funding, support, and education they need, for many of them, it's a matter of when, not if, they'll be hacked.