Inside Cybersecurity

July 19, 2024

Daily News

U.S. EPA, water sector emphasize best practices after Florida hack, but incident raises systemic and oversight issues

By Charlie Mitchell / February 9, 2021

A quick-thinking operator and systemic redundancies may have prevented catastrophe after a hacker tried to poison a Florida water supply, but the incident also underscores potential costs from uneven oversight of critical infrastructure sectors.

The U.S. Environmental Protection Agency is the sector-specific agency for securing water systems, while the Cybersecurity and Infrastructure Security Agency, which leads in cyber response for most critical infrastructure sectors, was referring inquiries to federal and local partners in the case of the attack targeting the Oldsmar, FL, water treatment facility.

EPA said in a statement, “Instances like this one in Oldsmar underscore the importance of vigilance by water utility employees and staff in addressing the threat of cyber intrusions. EPA has tools to assist water and wastewater utilities in preparing for, identifying, responding to, and recovering from cyber-attacks.”

The agency said, “EPA works closely with the water sector industry as well as other federal, state, local, tribal and territorial, and private sector partners. To provide utilities with the most current resources, EPA has developed a website that utilities can reference to find the most updated alerts, information, and tools that may be used to improve cyber resilience.”

But Kiersten Todt of the Cyber Readiness Institute observed, “I would assert water is one of the most critical infrastructures -- along with telecom, financial, and energy -- and the sector itself does not have the capabilities right now to protect itself from a cyber perspective, so who does? Should CISA be working with EPA to protect the water sector? I think the likely answer is yes and I believe there has been cooperation, but at a mid-level.”

Todt, the executive director of the 2016 Commission on Enhancing National Cybersecurity, said, “There are approximately 50,000 water utilities in the U.S. [and] we can’t possibly expect these utilities to be up to speed on their cyber protections, can we? I was asked last year if we should consolidate all of the water utilities -- I don’t believe in consolidating into one (single point of success is a single point of vulnerability and potential failure) -- but certainly consolidating to fewer than 50,000 -- maybe 1,000 -- could help.”

The Florida hack is likely to come up Wednesday at a House Homeland Security Committee cybersecurity hearing, according to a panel source, who said roles and responsibilities in cyber defense is among the topics primed for discussion.

The FBI is investigating the Friday incident in coordination with Florida state and Pinellas county officials, according to the federal government. Authorities have yet to identify the perpetrator, who accessed the treatment plant’s computer system and tried to vastly increase the ratio of sodium hydroxide in the water, which could’ve caused mass casualties.

The Tampa Bay Times reported on Monday: “A supervisor working remotely saw the concentration being changed on his computer screen and immediately reverted it, [Pinellas County Sheriff Bob] Gualtieri said. City officials on Monday emphasized that several other safeguards are in place to prevent contaminated water from entering the water supply and said they’ve disabled the remote-access system used in the attack.”

Saryu Nayyar, CEO of the cyber firm Gurucul, said, “The cyberattack against the water supply in Oldsmar, Florida, last week should come as a wakeup call. Cybersecurity professionals have been talking about infrastructure vulnerabilities for years, detailing the potential for attacks like this, and this is a near perfect example of what we have been warning about. Though this attack was not successful, there is little doubt a skilled attacker could execute a similar infrastructure attack with more destructive results. Organizations tasked with operating and protecting critical public infrastructure must assume the worst and take more serious measures to protect their environments.”

Bryson Bort, CEO of Scythe and co-founder of “ICS Village” at Def Con, noted in a statement, “TeamViewer is a common remote desktop protocol (RDP) solution in ICS and the water attack was most likely simple access with stolen credentials. Using the software means everything is visible to the user (hence, the operator saw the mouse move and settings changed). Who and why is still the question.”

Bort offered a demonstration of such an attack during an Atlantic Council event several years ago.

Marty Edwards, vice president of operational technology security at Tenable, said, "The attack against the City of Oldsmar's water treatment system is what OT nightmares are made of. If successful, the damages of the attack would have been catastrophic. This story highlights just how quickly and covertly a subtle, and potentially deadly, change can be made. This is precisely why the security community has been warning about the rising threats to OT for the last decade-plus.”

He said, “The days of isolated OT networks are long gone. In its place is a highly dynamic and complex environment of smart OT technology, modern IT and everything in between. Attackers have capitalized on these converged networks to move laterally from one system to another, making the compromise of just one device even more dangerous. … All organizations that operate critical infrastructure, such as water supplies, must invest in the people, processes and technology required to keep these systems safe. This wasn’t the first attack of its kind and it certainly won’t be the last." – Charlie Mitchell (