A Florida city whose water system was hacked last week said Friday that it completed a federally mandated security- risk assessment three months ago, but hadn’t yet integrated the findings into its emergency plans.
The hacking incident-occurring after a security review-has thrown into stark relief a vulnerability of the more than 50,000 community water systems that supply most Americans with their drinking water: they don’t have to meet any national standard for cybersecurity.
That is in contrast to electric utilities, which have had to meet increasingly stringent rules since 2008 for the physical and cybersecurity of key assets and, more recently, for parts of their supply chains. Rules for the electric industry are reinforced by monetary penalties for violations.
On Feb. 5, an engineer at a water treatment plant in Oldsmar, Fla., in Pinellas County, detected that a hacker had accessed the facility’s control system and attempted to increase the amount of lye used to treat the water to a potentially dangerous level. The control engineer witnessed the tampering, as a ghostly hand moved a cursor over his screen, and he reversed it immediately, officials said. But the episode highlighted how few protections are mandated to defend the U.S. water supply.
The cyber-intruder got into Oldsmar’s water treatment system twice on Friday — at 8 a.m. and 1:30 p.m. — through a dormant software called Teamiewer. The software hadn’t been used in about six months but was still on the system. “How they got in, whether it was through a password or through something else, I can’t tell you that,” said Gualtieri.
TeamViewer, which is based in Germany and has more than half a million customers around the world using commercial licenses, said that there was no indication of suspicious activity.
“Based on cooperative information sharing, a diligent technical investigation did not find any indication for suspicious connection activity via our platform,” TeamViewer spokesperson Martina Dier told CNN on Wednesday. Once inside the system, the hacker adjusted the level of sodium hydroxide, or lye, to more than 100 times its normal levels, Gualtieri said.
The system’s operator noticed the intrusion and immediately reduced the level back. At no time was there a significant adverse effect to the city’s water supply, and the public was never in danger, he said.
WhatsApp us