Water-Supply Hack Should Be a Wake-Up Call, Experts Say

U.S. law enforcement officials are investigating a hacker’s unsuccessful attempt to tamper with a Florida city’s water supply, an event that cybersecurity professionals view as yet another wake-up call that should cause the government to examine its role in protecting critical infrastructure from more skillful attackers.  

On Monday, local officials from the city of Oldsmar and the surrounding Pinellas county said a “bad actor” used software that provides remote access to a public water treatment facility to increase the level of sodium hydroxide—the main ingredient in drain cleaners, which is used in small quantities to adjust pH levels—to a dangerous amount. 

An operator at the plant intercepted the unlawful intrusion within three to five minutes and there were other systems in place to avoid catastrophe, the local authorities said, but they cautioned others to pay attention, saying “everyone should be on notice.”  

“The federal government should be involved with this at every step of the way,” Kiersten Todt, who served as a cybersecurity adviser to President Obama, told Nextgov Tuesday. “It should not be delegated to a local regulatory authority.”

Todt said she has long been concerned about water utilities, noting that while some sectors have a huge presence in the nation’s capital through their trade associations, that’s not true for all critical infrastructure, particularly smaller resource-constrained entities that are delivering a public good.   

“Energy, telecom and finance have a huge presence in Washington, D.C., but what is the presence of the water utilities, and how is the agency that's responsible for securing water utilities, working with them?” she said. “I think it very much is a wake-up call to look at how our government is organized and specifically CISA with its responsibility, to say, how are we working with these 50,000 water utilities.” 

Pinellas County Sheriff Bob Gualtieri said local authorities have been working along with the FBI and U.S. Secret Service since late Friday following the incident earlier that day. He said there are no suspects, but they do have some leads, stressing the hacker could be foreign or domestic. 

Attacks on the operating technology of critical infrastructure have been associated with nation-states like Russia and Iran, but also with individuals who might be looking to settle a score or explore their abilities.

Some cybersecurity professionals are already insinuating Russian involvement. 

“With President [Joe] Biden publicly chastising Russia in a recent press conference and threatening economic sanctions as a result of previous nation-state campaigns, the timing of this attack is interesting,” said Richard Cassidy, senior director of security strategy at Exabeam. 

Others suggested certain actions described by the sheriff, such as the mouse moving on the operator’s screen, show that the hacker was an amateur who didn’t take available steps to conceal their presence. 

“This time an amateur move of a rogue mouse cursor gave the perpetrators away, but we are seeing a sharp rise in sophisticated, stealthy attackers that slip under the radar unnoticed, what will happen the next time there is no flashing red light?” said Justin Fier, director of cyber intelligence and analytics for the firm Darktrace. He said governments around the world will be taking a closer look at their defenses for lessons, but so will malicious actors.

Whatever the identity of the hacker, Todt said the incident should propel CISA to take a more proactive role with water utilities and all critical infrastructure sectors.

“Defending our critical networks is a challenge exemplified by SolarWinds and now punctuated by this water utility crisis,” she said.

Nextgov reached out to CISA but did not get a response before publication.