Oldsmar, Florida, experienced one of the biggest fears of cybersecurity on Friday – hackers looking to poison their water supply.
It is the type of violation that has been reported for years, but is rarely seen. Experts say the hack, which was resolved quickly, is an excellent example of why cybersecurity of the U.S. water supply remains one of the biggest risks to the country’s infrastructure.
And, like the US electoral system, it tends to be a broad and varied challenge.
“Water facilities are particularly problematic,” said Suzanne Spaulding, who was the senior cybersecurity authority for the Department of Homeland Security during the Obama administration. “When I first joined DHS and started receiving industry-specific instructions, my team said, ‘Here’s what you need to know about water facilities: when you see a water facility, you see a water facility. ‘”
The approximately 54,000 drinking water systems in the United States are managed independently by both local governments and small businesses. This means that there are thousands of different security configurations, usually performed by generalists who are responsible for the technology of their specific systems.
“I have been to several water treatment facilities where there are one or two IT professionals,” said Lesley Carhart, a threat analyst at cybersecurity company Dragos. “And they have to deal with everything from provisioning computers and devices that keep the infrastructure running to trying to secure it.
“Most are very aware of this, but they are just drowning,” she said. “They don’t know how to do all the things they need to do to keep things running from an IT perspective and also fill in the compliance checkboxes.”
All of Oldsmar’s cyber security services, including the water treatment plant, are managed by a man, municipal manager Al Braithwaite, assistant city manager Felicia Donnelly said in an email.
In the case of the Oldsmar attack, all hackers needed to gain access was to log in to a TeamViewer account, which allows remote users to take complete control of a computer that was associated with the plant. This allowed them to open and play with a program that defines the chemical content for the underground water reservoir that provides drinking water for about 15,000 people. The facility has back-up alarms to measure levels of unsafe chemicals, but the hackers managed, at least for a brief period, to order the plant to poison the water.
With a few clicks, they said to increase the levels of lye in the water from 100 to 11,100 parts per million. Anything over 10,000 can lead to “difficulty swallowing, nausea / vomiting, abdominal pain and potentially even damage to the gastrointestinal tract,” said Dr. Kelly Johnson-Arbor, toxicology doctor at the National Capital Poison Center, by and -mail.
Bryson Bort, a cybersecurity consultant who helped start ICS Village, a nonprofit organization that raises awareness of cybersecurity for industrial systems, said that such a practice – creating a computer program to allow users to control systems sensitive industrial – it is extremely common in industrial systems that do not have the means to hire teams of specialists to be available at all times.
“If you think about it, you will have a technical and resource challenge to be able to manage things,” he said in a telephone interview. “So the ability to get a 3 o’clock warning light and get that specialist is valuable. People are always perplexed that this is how it is, but this is how it is. resources. I have no choice. “
Download the NBC News app for breaking news and politicals
Hackers sponsored by foreign governments often target US industrial systems, which are often labyrinthine enough that a simple intrusion will not let them shut down the infrastructure. It is unclear who or what was behind the Oldsmar hack.
Federal officials have long been concerned about a possible “cyber Pearl Harbor” incident, in which hackers could physically damage American infrastructure. Although this has not happened, the United States is eager to react when an opposing country comes too close.
In 2013, a hacker hacked computers that controlled Bowman Dam in Rye, New York, and could have gained access to its controls had it not been offline for maintenance. Three years later, the Justice Department accused an Iranian citizen of the hack, saying he worked for a company linked to the Iranian Revolutionary Guard Corps.
And last year, the Treasury Department sanctioned a Russian government institution suspected of creating a powerful and destructive program called Triton, which targets industrial systems.
There is no public evidence that an American company has been seriously harmed by Triton. But that does not mean that hackers in these countries do not try to exploit the open holes in American infrastructure, said Carhart. This means that they know that they must not cause gentlemanly harm.
“Foreign state hackers are there. They are at the water utilities, I promise you. But they know better than pushing buttons today, ”she said.
“They will wait until they have a good reason to touch the buttons. They are there. We find them all the time.”