State and federal officials are warning all water utilities to upgrade their cybersecurity after hackers attempted to poison the water supply of a small Florida city, raising alarms about the vulnerability of the nation’s water systems.
The Wisconsin Department of Natural Resources cautioned Wisconsin’s 611 municipal water systems Wednesday to take steps to secure their computerized control systems, including installing firewalls and using strong passwords.
According to the DNR, on Feb. 5, unidentified hackers gained access to the control system at a water treatment plant in Oldsmar, Florida, and altered the supply of sodium hydroxide, or lye, a caustic chemical used in the water treatment process.
The hackers broke in twice on the same day, but in both cases workers at the treatment plant noticed the change and corrected the problem before the water was affected.
The DNR did not respond to questions about whether it is tracking utility responses to the recommended measures, which were outlined by the Environmental Protection Agency. Officials from the Madison and Sun Prairie water utilities, the largest in Dane County, could not be reached late Wednesday afternoon.
Suspicious incidents are rarely reported and usually are chalked up to mechanical or procedural errors, experts say. No federal reporting requirement exists, and state and local rules vary widely.
“In the industry, we were all expecting this to happen. We have known for a long time that municipal water utilities are extremely underfunded and under-resourced, and that makes them a soft target for cyberattacks,” said Lesley Carhart, principal incident responder at Dragos Security, which specializes in industrial control systems.
“I deal with a lot of municipal water utilities for small, medium and large-sized cities. And in a lot of cases, all of them have a very small IT staff. Some of them have no dedicated security staff at all,” she said.
The nation’s 151,000 public water systems lack the financial fortification of the corporate owners of nuclear power plants and electrical utilities. They are a heterogenous patchwork, less uniform in technology and security measures than in other rich countries.
As the computer networks of vital infrastructure become easier to reach via the internet — and with remote access multiplying dizzily during the COVID-19 pandemic — security measures often get sacrificed. That appeared to be the case at Oldsmar.
Cybersecurity experts said the attack at the plant 15 miles northwest of Tampa seemed ham-handed, it was so blatant. Whoever breached Oldsmar’s plant on Friday using a remote access program shared by plant workers briefly increased the amount of sodium hydroxide by a factor of 100, according to Pinellas County Sheriff Bob Gualtieri. Lye is used to lower acidity, but in high concentrations it is highly caustic and can burn. It’s found in drain cleaning products.
How the hacker got in remains unclear, Gualtieri said. But some details have emerged.
The DNR advisory said the intruder got in through software called TeamViewer, which plant operators use to monitor the system.
It was loaded on all computers used by plant personnel, all of which were connected to the plant’s control system, the advisory said, adding that all users shared the same password — ignoring cybersecurity best practices. Those computers “appeared to be connected directly to the Internet without any type of firewall protection installed.”
State Journal reporter Chris Hubbuch contributed to this report.