Security concerns regarding the nation’s water infrastructure took center stage following the dramatic Feb. 8 announcement that hackers had accessed the computer system at a small drinking water facility in Florida. Garnering national headlines, the Pinellas County Sheriff’s Office revealed that unknown actors twice entered the computer system of the city of Oldsmar’s drinking water treatment plant on Feb. 5 in an apparent attempt to disrupt operations. Most disturbingly, the second intrusion involved an attempt to increase the concentration of sodium hydroxide in the drinking water to dangerous levels.
‘A significant and potentially dangerous increase’
A city of nearly 15,000 people, Oldsmar is located about 15 mi northwest of Tampa. Opened in 2013, Oldsmar’s 2 mgd Bruce T. Haddock Water Treatment Plant uses reverse-osmosis membranes to treat brackish groundwater, according to the city’s website.
At about 8 a.m. on Feb. 5, an operator at the Oldsmar treatment facility “noticed that someone remotely accessed the computer system that he was monitoring,” said Bob Gualtieri, the sheriff of Pinellas County, during a Feb. 8 news conference. “The computer system was set up with a software program that allows for remote access where authorized users can troubleshoot system problems from other locations.” At the time, the operator “didn’t think much of it because his supervisor and others will remotely access his computer screen to monitor the system at various times,” Gualtieri noted.
Around 1:30 p.m. the same day, the facility’s supervisory control and data acquisition system was remotely accessed again by an unknown user, this time for three to five minutes. During this incident, the user opened various functions on the screen, including one used to control the level of sodium hydroxide, which is used to control acidity and remove metals from the water.
“The hacker changed the sodium hydroxide from about 100 parts per million to 11,100 parts per million,” Gualtieri said. “This is obviously a significant and potentially dangerous increase.”
Fortunately, a plant operator noticed the change and “immediately reduced the level back to the appropriate amount,” Gualtieri said. “Because the operator noticed the increase and lowered it right away, at no time was there a significant adverse effect on the water being treated. Importantly, the public was never in danger.”
Even if the change had not been detected immediately, the increase in sodium hydroxide would have triggered pH alarms, said Al Braithwaite, Oldsmar’s city manager, during the Feb. 8 news conference. The alarms would have alerted plant staff in time to rectify the change, Braithwaite said.
No immediate suspects
Upon detecting the second intrusion, the city took steps “to prevent further remote access to the system,” Gualtieri said. The city then contacted the sheriff’s office, which notified the FBI and the U.S. Secret Service. It is unclear whether the hackers operated from within the United States or outside of the country, he noted. “Right now, we do not have a suspect identified, but we do have leads that we’re following,” Gualtieri said.
In response to questions from Civil Engineering about the incident, the city of Oldsmar declined to respond, citing the ongoing investigation. The Pinellas County Sheriff’s Office did not respond to a request for comment for this story.
On Feb. 11, a joint cybersecurity advisory describing the cyberattack of the Oldsmar facility was released by the FBI, the U.S. Cybersecurity and Infrastructure Security Agency, the U.S. Environmental Protection Agency, and the Multi-State Information Sharing and Analysis Center, known as MS-ISAC, which is operated by the Center for Internet Security. “The cyber actors likely accessed the (SCADA) system by exploiting cyber-security weaknesses, including poor password security, and an outdated operating system,” according to the advisory. “Early information indicates it is possible that a desktop sharing software, such as TeamViewer, may have been used to gain unauthorized access to the system.”
‘It could happen to anybody’
What happened to Oldsmar should serve as a warning to participants in every critical infrastructure sector, says Jacques Brados, a senior instrumentation and control manager and water cybersecurity consultant for Black & Veatch. “It could happen to anybody,” Brados says. “Water, power, businesses. It’s not unique to Oldsmar at all.”
In fact, a similar event has occurred at least once before in the United States, Brados notes. In 2016, he says, hackers accessed the SCADA system of a U.S. water utility — the name of which was not reported by authorities — and were able to alter the dosages of chemicals added during the treatment process. A comparable incident occurred recently at a drinking water facility in Israel, Brados says.
The decision by Oldsmar officials to come forward and discuss the Feb. 5 incident is highly commendable, Brados says. “The Oldsmar team deserves a huge round of applause for getting the police involved and making public statements,” he says. “I think that’s a fantastic thing to do.” Although he understands why some organizations that find themselves in similar situations do not go public, Brados maintains “there’s some value” in speaking out. “It’s important to help bring awareness,” he says. Reporting cyberattacks can also result in additional support and funding for the water sector to address such threats. “The squeaky wheel gets the grease,” Brados says.
Assessing cybersecurity vulnerabilities
Ultimately, water providers that are unsure of their digital vulnerabilities should “do a cybersecurity assessment,” Brados says. “Figure out where you are. Talk to other utilities.”
To begin, water providers can avail themselves of cybersecurity resources from multiple entities, including the American Water Works Association, the EPA, and the U.S. Department of Homeland Security. Fortunately, no shortage of such information exists, Brados says. “It’s probably overwhelming the amount of help that’s out there,” he notes.
Other key sources of information are the MS-ISAC, mentioned above, which offers cybersecurity resources for all levels of government, and the Water Information Sharing and Analysis Center, a nonprofit organization dedicated to sharing security-related information and promoting security among the water sector. “If a (water) utility is not a member of one or both of these, that is something that they should definitely be doing sooner rather than later,” Brados says.