Saturday September 25th, 2021 7:46PM

Hack exposes vulnerability of cash-strapped US water plants

By The Associated Press
Related Articles
  Contact Editor

ST. PETERSBURG, Fla. (AP) — A hacker’s botched attempt to poison the water supply of a small Florida city is raising alarms about just how vulnerable the nation's water systems may be to attacks by more sophisticated intruders. Treatment plants are typically cash-strapped and lack the cybersecurity depth of the power grid and nuclear plants.

A local sheriff's startling announcement Monday that the water supply of Oldsmar, population 15,000, was briefly in jeopardy last week exhibited uncharacteristic transparency. Suspicious incidents are rarely reported and usually are chalked up to mechanical or procedural errors, experts say. No federal reporting requirement exists, and state and local rules vary widely.

"In the industry, we were all expecting this to happen. We have known for a long time that municipal water utilities are extremely underfunded and under-resourced, and that makes them a soft target for cyberattacks,” said Lesley Carhart, principal incident responder at Dragos Security, which specializes in industrial control systems.

“I deal with a lot of municipal water utilities for small, medium and large-sized cities. And in a lot of cases, all of them have a very small IT staff. Some of them have no dedicated security staff at all,” she said.

The nation's 151,000 public water systems lack the financial fortification of the corporate owners of nuclear power plants and electrical utilities. They are a heterogenous patchwork, less uniform in technology and security measures than in other rich countries.

As the computer networks of vital infrastructure become easier to reach via the internet — and with remote access multiplying dizzily during the COVID-19 pandemic — security measures often get sacrificed. That appeared to be the case at Oldsmar.

Cybersecurity experts said the attack at the plant 15 miles northwest of Tampa seemed ham-handed, it was so blatant. Whoever breached Oldsmar’s plant on Friday using a remote access program shared by plant workers briefly increased the amount of lye — sodium hydroxide — by a factor of 100, according to Pinellas County Sheriff Bob Gualtieri. Lye is used to lower acidity, but in high concentrations it is highly caustic and can burn. It's found in drain cleaning products.

How the hacker got in remains unclear, Gualtieri said. But some details have emerged.

An advisory that Massachusetts posted for its public water suppliers said the intruder entered through a remote-access program called TeamViewer. It was loaded on all computers used by plant personnel, all of which were connected to the plant’s control system, the advisory said, adding that all users shared the same password — ignoring cybersecurity best practices. Further, those computers “appeared to be connected directly to the Internet without any type of firewall protection installed.”

The Massachusetts advisory said the FBI and other agencies had issued a situational report on the incident. An FBI spokesperson declined to comment on the report.

Oldsmar officials declined to questions about cybersecurity measures at the plant.

The intruder's timing and visibility seemed almost comical to cybersecurity experts. A supervisor monitoring a plant console about 1:30 p.m. saw a cursor move across the screen and change settings, Gualtieri said, and was able to immediately reverse it. The intruder was in and out in five minutes.

The public was never in peril, though the intruder took “the sodium hydroxide up to dangerous levels,” the sheriff said. Also, plant safeguards would have detected the chemical alteration in the 24 hours to 36 hours it would have taken to affect the water supply, he said.

Gualtieri said Tuesday that water goes to holding tanks before reaching customers, and “it would have been caught by a secondary chemical check.” He did not know if the hacker was domestic or foreign, and said no one related to a plant employee was suspected. He said the FBI and Secret Service were assisting in the investigation.

Jake Williams, CEO of the cybersecurity firm Rendition Infosec, said engineers have been creating safeguards "since before remote control via cyber was a thing,” making it highly unlikely the breach could have led to “a cascade of failures” tainting Oldsmar's water.

There's been an uptick in hacking attempts of water treatment plants in the past year, the cybersecurity firm FireEye said, but most were by novices, many stumbling on systems while using a kind of search engine for industrial control systems called Shodan. At a congressional hearing Wednesday, former Cybersecurity and Infrastructure Agency director Christopher Krebs said he thought it “very likely” the Oldsmar hacker was a disgruntled employee.

The serious threat is from nation-state hackers such as the Russian agents blamed for the monthslong SolarWinds campaign that has plagued U.S. agencies and the private sector for at least eight months and was discovered in December. While U.S. officials have called SolarWinds a grave threat, they also call it cyberespionage, rather than an attempt to do damage.

Laying boobytraps that could be triggered in an armed conflict is another matter. Russian hackers are known to have infiltrated U.S. industrial control systems, including the power grid, and Iranian agents are blamed for the breach of a suburban New York dam in 2013. But there is no indication any “logic bombs” have been activated, as Russia did in Ukraine when military hackers briefly brought down parts of the electrical grid in the winters of 2015 and 2016.

A 2020 paper in the Journal of Environmental Engineering found that water utilities have been hacked by a variety of intruders, including amateurs just poking around, disgruntled former employees, cybercriminals looking to profit and state-sponsored hackers. Although such incidents have been relatively few, that does not mean the risk is low and that most water systems are secure.

After Friday's incident, Oldsmar officials disabled the remote-access system and warned other city leaders in the region — which was hosting the Super Bowl — to check their systems.

Chris Sistrunk, a technical manager at FireEye's Mandiant division, said cybersecurity issues are relatively new for U.S. water utilities, whose biggest problems are pipes freezing and busting in winter or getting clogged with disposable wipes. The Oldsmar hack highlights the need for more training and basic security protocols, but not drastic measures such as sweeping new regulations.

“We have to do something, we can’t do nothing. But we can’t overreact,” he said.


Bajak reported from Boston and Suderman from Richmond, Virginia. AP Technology Writer Matt O'Brien contributed from Providence, Rhode Island.

  • Associated Categories: U.S. News, Associated Press (AP), AP National News, AP Online National News, Top U.S. News short headlines, Top General short headlines, AP Online Headlines - Washington, AP Business, AP Business - Industries, AP Business - Utilities, AP Technology News
© Copyright 2021
All rights reserved. This material may not be published, broadcast, rewritten, or redistributed without permission.
The Latest: Republicans criticize Trump lawyers' performance
Senate Republicans had sharp criticism for former President Donald Trump’s lawyers after the opening of his second impeachment trial
6:36PM ( 14 minutes ago )
Hack exposes vulnerability of cash-strapped US water plants
A hacker’s botched attempt to poison the water of a small Florida city is raising alarms about just how vulnerable such systems may be to attacks by more sophisticated intruders
6:32PM ( 17 minutes ago )
Associated Press (AP)
Senate agrees to hear Trump case, rejecting GOP arguments
Senators in Donald Trump’s historic second impeachment trial have agreed to consider the case
5:50PM ( 1 hour ago )
Police 'unlawful assembly' powers come under fire in Oregon
An Oregon lawmaker is trying to repeal an arcane state law that critics say allowed officers to threaten racial injustice protesters in Portland with arrest, tear gas and rubber bullets if they didn’t disperse
5:45PM ( 1 hour ago )
KKK member sentenced for driving into crowd of protesters
A Virginia man who acknowledged being a Ku Klux Klan member has been sentenced to three years and eight months in prison on charges he drove his pickup truck through a crowd of Black Lives Matter protesters
5:42PM ( 1 hour ago )
AP National News
5 wounded in Minnesota clinic attack; local man arrested
Authorities say five people were shot and wounded in an attack at a Minnesota health clinic and that they arrested a 67-year-old local man
5:01PM ( 1 hour ago )
California panel urges changes to reduce criminal sentences
An advisory committee to Gov. Gavin Newsom says California should allow all but death row inmates and those spending life behind bars without the chance of parole to request lighter sentences after serving at least 15 years
4:48PM ( 2 hours ago )
Election of Democratic chair portends change at post office
A former labor leader and Obama administration official is the new chair of the U.S. Postal Service Board of Governors
4:25PM ( 2 hours ago )
Top U.S. News short headlines
The Latest: N.C. senators OK bill to force schools to reopen
North Carolina state senators have approved a bill that would require K-12 public schools to reopen with at least partial in-person instruction for the state’s 1.5 million pupils
5:57PM ( 53 minutes ago )
Senate passes Georgia budget changes aiding K-12 and health
An amended state budget that increases spending on K-12 schools and public health has passed the Georgia state Senate on a 52-0 vote, racing one step closer to passage
5:55PM ( 54 minutes ago )
Stocks end mixed, ending a 6-day winning streak for S&P 500
Stocks ended a wobbly day with mixed results Tuesday, ending a six-day winning streak for the S&P 500 even as the Nasdaq eked out another record high
5:48PM ( 1 hour ago )
AP Business
Construction starts on disputed $1B electricity corridor
Construction on part of a $1 billion electricity transmission corridor is on hold because of legal action, but that hasn't halted all construction
3:28PM ( 3 hours ago )
Senate panel advances EPA nominee; GOP slams Interior pick
A Senate committee has endorsed President Joe Biden’s nomination of Michael Regan to lead the Environmental Protection Agency, setting up a vote in the full Senate
1:47PM ( 5 hours ago )
The Latest: WH: Will increase vaccine supply next week
The White House is increasing the supply of coronavirus vaccines beginning next week, with an aim to ensure the equity of the distribution of doses
1:14PM ( 5 hours ago )
AP Business - Industries
Rescuers look for survivors of Indian glacier flood disaster
Hundreds of rescue workers were scouring muck-filled ravines and valleys in northern India for survivors after part of a Himalayan glacier broke off, sending a devastating flood downriver that has left at least 31 people dead and 165 missing
3:00AM ( 15 hours ago )
UN experts: North Korea using cyber attacks to update nukes
U.N. experts say North Korea has modernized its nuclear weapons and ballistic missile arsenals by flaunting United Nations sanctions, using cyberattacks to help finance its arsenal
1:55AM ( 16 hours ago )
Sheriff: Hacker tried to taint Florida city's water with lye
Authorities say a hacker gained access to a Florida city’s water treatment plant in an unsuccessful attempt to taint the water supply with a caustic chemical
1:22AM ( 17 hours ago )
AP Business - Utilities
The Latest: Republicans criticize Trump lawyers' performance
Senate Republicans had sharp criticism for former President Donald Trump’s lawyers after the opening of his second impeachment trial
6:36PM ( 14 minutes ago )
Rep. Jamie Raskin links impeachment with personal tragedy
Congressman Jamie Raskin evoked tragedy in his own life as he argued for Donald Trump's conviction during the former president's unprecedented second impeachment trial
6:22PM ( 28 minutes ago )
US officials: Pilot error caused Kobe Bryant chopper crash
Federal safety officials have blamed the helicopter crash that killed Kobe Bryant and eight others on board last year on the pilot’s poor decision to fly into clouds where he became disoriented and plunged into a Southern California hillside
6:20PM ( 29 minutes ago )
Man who wore horns, hat apologizes for storming Capitol
An Arizona man who participated in the insurrection at the U.S. Capitol while sporting face paint, no shirt and a furry hat with horns said he regrets storming the building and expressed disappointment with former President Donald Trump
6:17PM ( 33 minutes ago )