M Focus on: Water & Energy
Protecting your water utility from cyber threats By DENISE FEDOROW | The Municipal
Oldsmar, Fla., averted a potential catastrophe in February when someone breached the computer system at the Bruce T. Haddock Water Treatment Plant and changed the levels of sodium hydroxide from 100 parts per minute to 11,100 ppm. An operator monitoring the system happened to see the cursor moving across the screen and corrected the levels. âThatâs called getting lucky,â Kevin Morley, manager of federal relations for American Water Works Association, said. During a press conference organized by the sheriff and city officials following the event, Pinellas County Sheriff Bob Gualtieri said it was an âunlawful intrusionâ to âpart of the nationâs critical infrastructure.â The perpetrator actually made two attempts. The first was at 8 a.m. Feb. 5, but it was very brief, and the operator thought maybe supervisors were accessing the system through remote access. At 1:30 p.m., the system was again breached, but this time the perpetrator changed the amount of sodium hydroxideâââa Kevin Morley, caustic ingredient in drain cleanersâââto âsigmanager of federal nificant and dangerous levels,â according to relations for Amerithe sheriff. can Water Works The sheriff and city officialsâ ââ Mayor Association Eric Seidel and City Manager Al
22ââ THE MUNICIPALâ |â JUNE 2021
ABOVE: Vigilance is key to preventing cyberattacks on water utilities. Water utilities should focus on implementing best security practices, such as avoiding exposure of critical assets to the internet, establishing redundancy mechanisms for critical assets, employing strict access control policies and raising security awareness among employees. (Shutterstock.com)
Braithwaiteâââstressed residents were never in danger because even if the cyber attack had not been detected, there are other controls in place that wouldâve set off alarms before the increased ingredient could have entered the drinking water system. They also noted it takes 24-36 hours to hit the water system. At the time of the press conference on Feb. 8, Sheriff Gualtieri said they didnât know whether the threat came from inside or outside the country. The FBI is still investigating the incident, so when called, Oldsmarâs assistant city manager said, âWeâre not engaging in any conversations on that topic at this time.â During the press conference, Braithwaite responded to a reporterâs question by stating, âWe anticipated this day comingâââwe talked about it and studied it.â However, Morley said the Oldsmar system had no firewall and a weak password, so âit didnât require a lot of sophistication to hack it.â In a press report days after the incident, an FBI investigator was cited as stating the cyber actors likely accessed the system by exploiting cybersecurity weaknesses, including poor password security and an outdated Windows 7 operating system, and they likely used a shared software, Team Vision, to gain unauthorized access to the system.
