A hacker tried to poison the drinking water at a utility plant at Oldsmar, Fla., a city the same size as Vero Beach, on Feb. 5 by remotely changing the chemical mix using the treatment system’s computerized controls.
The hack was detected before the water supply could be poisoned with lye, but the incident raised obvious concerns about the security of the Vero Beach and Indian River County water systems.
Officials here believe the county and city water systems are safe from cyberattacks, but such attacks are constantly evolving, and protecting the water supply is an ongoing challenge.
The county water utility recently completed a federally mandated review and risk assessment of its system, and Vero is in the midst of a similar process.
Oldsmar – a quiet, harborside city of roughly 15,000 people near Clearwater and Dunedin – seems an odd target for a cyberattack. Its modern reverse-osmosis water treatment plant is only eight years old, and since it opened, Oldsmar’s utility has won several accolades, including the Florida Department of Environmental Protection’s Operations Excellence Award in 2013 and 2018.
Yet, its systems were not as protected as they could have been. After the attack, the FBI alerted other utilities about three shortcomings that made Oldsmar vulnerable.
According to the FBI, the water treatment plant’s computers were still using the outdated Windows 7 operating system, which Microsoft no longer actively supports with security updates. On top of that, the hacker gained remote access to controls using desktop sharing software called TeamViewer, which the FBI says has legitimate applications but is a “popular tool” used in cyberattacks.
“Beyond its legitimate uses, TeamViewer allows cyber actors to exercise remote control over computer systems and drop files onto victim computers, making them similar to Remote Access Trojans (RATs),” the FBI memo stated.
Last, access to the utility’s systems was not protected by strong passwords, making it less challenging for the hacker to break in and gain remote access to the chemical controls.
Indian River County Utilities Director Vincent Burke confirmed last week that the county’s water treatment systems have no remote access. Beyond that, there wasn’t too much he would say. “We take these things very seriously,” Burke said, adding that Indian River County Utilities complies with the requirements of the America’s Water Infrastructure Act of 2018 (AWIA).
Burke said the county’s new head of information systems, Dan Russell, has greatly enhanced and hardened all of the county’s computer systems to keep data safe and prevent hacking.
Russell referred questions about the security upgrades to county spokesperson Kathleen Keenan, who confirmed that “Indian River County met the AWIA requirements in 2020.”
According to the Environmental Protection Agency, utilities the size of the county’s system were required to conduct a risk assessment by March 2020 and submit a final Emergency Response Plan by September 2020.
Keenan also offered some generic assurance. “While the county cannot comment on the specific details regarding the security, including cybersecurity, of the design, construction and operation of our network for the county’s water treatment facilities, the county has put safeguards in place to avoid potential cybersecurity threats,” she said.
Vero Beach Utilities is on a different timetable to fully comply with AWIA requirements, because the city’s system serves a smaller population than the county. According to the EPA schedule of compliance deadlines, Vero has until June 30 of this year to complete its Risk and Resilience Assessment, and until Dec. 31 to finalize its Emergency Response Plan. In the interim, City Manager Monte Falls expressed confidence in Vero’s systems.
“The city has the proper protocols and internal controls in place to prevent this kind of breach of the city’s water treatment plant controls and other critical city IT infrastructure,” Falls said. “We consider ourselves well protected and the city’s IT department constantly monitors the emergence of new cybersecurity threats and responds with the appropriate measures for protection of city assets.
“We also have engaged Kimley-Horn and Associates to perform a formal AIWA risk assessment as required by Federal law, which includes a cybersecurity risk/threat assessment. This action was authorized by City Council at the Sept. 1, 2020 meeting,” Falls said.
Kimley-Horn is being paid $60,000 for 356 hours of work on the Risk and Resilience Assessment and then another $9,000 for 56 hours of work on the Emergency Response Plan.
City staff has been working with the consultants to examine asset inventories, control system exposure, used access controls, safeguards against unauthorized physical access, and vulnerability management. In addition to examining external security factors, the consultants will analyze the city utility’s cybersecurity training, policies and culture, as well as the potential for insider threats.
When asked if Vero allows any sort of remote access to water system controls, Falls said, “for security reasons, we cannot answer questions about the specifics of our network access or controls.”
The FBI is still investigating the Oldsmar case to determine who the hacker was and where the hacker is located, as the threat could have been local or from another country. Tips the FBI offered utilities include multiple-factor authentication, strong passwords, network audits, the isolation of computer systems, and keeping their software, anti-virus and anti-spam protection up to date.