Oldsmar, Florida, experienced one of the biggest fears in cyber security on Friday – hackers who want to poison the water supply.
This is the kind of offense that has been warned about for years, but is rarely seen. Experts believe that the cap, which was quickly addressed, is an excellent example of why the cyber security of the US water supply is one of the biggest risks to the country’s infrastructure.
And like the American electoral system, it tends to be a big and diverse challenge.
“Water facilities are particularly problematic,” said Suzanne Spaulding, who was the chief cyber security officer at the Department of Homeland Security during the Obama administration. “When I first started at DHS and started getting the sector-specific information sessions, my team said, ‘Here’s what you need to know about water facilities: if you saw one water facility, you saw one water facility.’ ‘
The US 54,000 drinking water systems are run independently, by local governments or small businesses. This means that there are thousands of different security setups, which are regularly managed by generalists who are responsible for the technology of their specific systems.
“I have been to numerous water treatment facilities where there is one IT person or two IT people,” said Lesley Carhart, chief threat analyst at cybersecurity company Dragos. ‘And they have to deal with everything, from providing computers and devices that keep the infrastructure running to trying to do security.
“Most are very aware of it, but they just drown,” she said. “They do not know how to achieve all the things they have to do to keep things going from an IT perspective and also to fill in the blanks.”
Al Oldsmar’s cyber security services, including the water purification plant, are run by one man, City Manager Al Braithwaite, an assistant city manager, Felicia Donnelly, said in an email.
In the case of the Oldsmar attack, all the hackers needed to gain access were to log in to a TeamViewer account, which allows users to remotely control a computer associated with the plant. This allows them to open up and play with a program that determines the chemical content of the underground water reservoir that provides drinking water for nearly 15,000 people. The plant has backup alarms to measure unsafe chemical levels, but the hackers were able to at least briefly order the plant to poison the water.
With a few clicks, they said it should increase the leaching levels in the water from 100 to 11,100 parts per million. Anything more than 10,000 can lead to “swallowing problems, nausea / vomiting, abdominal pain and possibly even damage to the digestive tract,” said Dr. Kelly Johnson-Arbor, a medical toxicologist at the National Capital Poison Center, said in an email. .
Bryson Bort, a cybersecurity consultant who helped start ICS Village, a non-profit organization that raises awareness of cybersecurity for industrial systems, said that such a practice – setting up a computer program that enables users to take control of sensitive industrial systems – very common in industrial systems. which does not have the means to employ persons of experts to be employed at all times.
“When you think about it, you have a challenge to be technical as well as resource right to be able to manage things,” he said in a telephone interview. “The ability to get a warning in 3 hours and get that one expert value. People are always imagined to be so, but that’s how it is. It’s the ease of these resource constraints. A choice not. ‘
Download the NBC News App for news and politicss
Foreign government-backed hackers regularly target U.S. industrial systems, which are often labyrinthine enough so that a simple intrusion does not allow them to block infrastructure. It is unclear who or what was behind the Oldsmar hood.
Federal officials have long been frustrated about a possible ‘cyber Pearl Harbor’ incident, in which hackers could physically damage US infrastructure. Although this has not happened, the US is eager to push back if an adversary comes too close.
In 2013, a hacker hacked into computers that controlled Bowman Dam in Rye, New York, and could have accessed its control panels if it were not offline for maintenance. Three years later, the justice department charged an Iranian citizen with the cap and said he worked for a company affiliated with the Iranian Revolutionary Guards.
And last year, the Treasury Department approved a Russian government institution that allegedly created a powerful, destructive program called Triton, which is aimed at industrial systems.
There is no public evidence that a US company was seriously harmed by Triton. But that does not mean that the countries’ hackers are not trying to exploit the open holes in US infrastructure, Carhart said. That means they know better than to inflict cavalier damage.
“The foreign hackers are there. They promise you in the water supply. But they know better than to push buttons today,” she said.
“They’re going to wait until they really have a good reason to push buttons. They’re there. We find them all the time.”