US drinking water plants still very vulnerable to cyberattacks
These facilities often use remote control software, which exposes security breaches, according to experts.
With the increase in cyberattacks against drinking water utilities, scenarios disasters have almost become reality.
The United States, highly targeted by cyberattacks, seems to have so far neglected the most vulnerable systems, which are drinking water infrastructures.
On January 15, 2021, a hacker managed to break into the management system of a municipal waterworks that served parts of San Francisco Bay. A fairly easy hack since he had the username and password of a former employee's TeamViewer account and was thus able to access the system, thanks to this program which allows users to remotely control their computers.
After logging in, the hacker, who has not been identified by authorities, took the opportunity to erase the programs the plant used to treat drinking water. This incursion was not discovered until the next day, but the usernames and passwords were changed and the operating software was then reinstalled.
More lest it hurt, some would say, but this episode is among the increasingly overt threats of malicious intent by cyber hackers against critical US infrastructure.
The worst-case scenario, worthy of a B-movie disaster, almost materialized a few weeks later, this time in Oldsmar, a town northwest of Tampa, Florida with a population of about 15,000. A hacker also gained access to a TeamViewer account and remotely increased the levels of sodium hydroxide or caustic soda in the water at the distribution plant.
No arrests have been made and authorities and investigators do not know whether the water infrastructure hacks were carried out from within the United States or from outside the country.
Caustic soda is used to unclog drains, as a cleaning product or as a neutralizing agent to increase the pH of water. This latter use creates an alkaline environment that destroys pathogens. In the case of municipal water services, it is mainly used to control acidity. In high concentrations, soda is very corrosive and can cause skin and eye irritation, as well as temporary hair loss.
On this day in February 2021, one of the plant operators at Olsdmar saw this attempt to access the system in the morning, but assumed it was his supervisor. A second attempt was made in the early afternoon, and this time the hacker accessed the processing software and increased the sodium hydroxide content from 100 parts per million (ppm) to 11,100 ppm, is a toxic level.
Very soon, the operator noticed that the computer mouse was moving on its own and therefore undid the hacker's changes by returning the levels to the normal.
Again, no arrests were made and authorities and investigators do not know if the hack was carried out from within the United States or from outside the country. At no time was there a significant negative effect on the treated water, Pinellas County Sheriff Bob Gualtieri said at a conference at the time. Press. Above all, the public was never in danger.
While infrastructure factories often rely on remote control software, security breaches are likely to occur. How hackers gain access to TeamViewer system accounts is unclear, but leads often lead to the underground web. This is where usernames and passwords to access the infrastructure would circulate there to be sold.
Drinking water treatment infrastructures are both very vulnerable and difficult to control by pirates. Vulnerable, because of the more than 150,000 American factories, a good portion are located in rural communities that do not really have a budget surplus to constantly monitor the systems in place for cyberattacks. This would be the case among the majority of the 55,000 water plants run by local communities. Plants that supply water to more than 286 million people all year round.
Fortunately, the United States government has made cybersecurity in water distribution infrastructure a priority, according to Gus Serino of Dragos.
Regarding the water industry water is largely unregulated, says Gus Serino,threat hunter for Dragos, a cybersecurity company. Many water utilities are under-resourced and don't really have the regulations, the requirements to secure the systems. So that's a real problem.
These small water utilities often don't have their own IT or cybersecurity staff. Most of the time, these factories are managed by a handful of employees who are not necessarily experienced in monitoring cyberattacks.
On the other hand, the risk of a concerted attack that would affect several factories is also mitigated, because each installation operates independently. In other words, the lack of centralization of operations prevents massive remote water poisonings by pirates.
This is both a blessing and a curse, since it means that it is even more complex to apply a single system protection solution for these 50 000 small and more water treatment plants.
According to experts, few public reports report these outages. Whether these hacks have become more common or just more visible is unclear, as there is unfortunately no comprehensive federal census of water treatment plant security.
Worse, even small rural water utilities would tend to be reluctant to share their vulnerabilities. A disturbing admission from Daryn Martin, technical assistant at the Kansas Rural Water Association, a trade organization for about 800 water treatment facilities in Kansas. Interviewed by NBC, he admitted that in general, they do not report to the federal government. There's a certain distrust, you know, in the small towns of the American Midwest. Nothing to reassure about security and its possible improvement.
Most of the time, waterworks in the United States are run by a handful of employees who are not necessarily familiar with surveillance against cyberattacks.
Nothing to surprise Gus Serino. Naturally, utilities try to avoid making headlines. Often, honestly, they don't know what to do. They have no solution since they have never faced this kind of problem.
The United States Environmental Protection Agency (EPA) submitted its plan to Congress in August to ensure water safety. The agency is supposed to propose and roll out new rules that would force local authorities to include checking for cybersecurity vulnerabilities in their inspection reports from now on.
There is a lot of debate about whether the EPA should do this or if the mission should be given to another organization, but there is a lot of effort to try to solve this problem, points out Gus Serino.
And the fact that the US Congress is finally considering the issue is rather encouraging, according to him. I think it's become a priority recently. Since 2018, thanks to the American Water Infrastructure Act, it is required in water distribution installations that an assessment be carried out as well as an incident response plan.
In the meantime, the Cybersecurity and Infrastructure Security Agency (CISA), the federal government's lead cybersecurity advocacy agency, is tasked with helping secure infrastructure of the country, including water.
However, it does not regulate the sector and is largely limited to advising and assisting organizations that request it. Moreover, by the agency's own admission, only a tiny fraction of the country's water facilities choose to use its services. They would only be several hundred of the 55,000 in the country to do so.
The United States Environmental Protection Agency has sent to Congress its report on cybersecurity in water distribution infrastructure.
Gus Serino says time is running out as some ransomware attacks continue to destabilize water distribution infrastructure. These attacks hijack computer systems and hold them hostage until their victims pay a ransom. Jacksonville, North Carolina, and Fort Collins, Colorado, for example, have been victims of such attacks.
Implementing solutions at scale of the country is more essential than ever, but remains quite a challenge for the American authorities. Until budgets are released by Congress to train and equip water utility workers in smaller communities, the risk of serious attacks remains. Gus Serino believes it will take another year for the US federal government machine to produce results.