Way back in time.  Yeah…all of 20 years. Right after 9/11, America knew it had to ‘harden’ its infrastructure.  Water supplies, natural gas, power grids- all of them were easily susceptible to terrorist attacks.  Except, that was all talk and virtually no action.

Consider this…

You are the plant operator in Oldsmar (near Tampa Bay in Florida), just coming on shift,  and you notice that various indicators are turning around- with no intervention by any one in the facility. Thankfully, it was recognized and the action was immediately reversed. However, that should never have been possible in the first place.  (The water system allowed for remote control.)

How did that happen?  Unfortunately, very easily.  An app, TeamViewer, was engaged.  This low cost (or free) program affords remote IT staff the ability to repair systems.  To be honest, the water operator switched to a different utility a while ago- but they never removed this one from the computers.   Et, voila- a big door was available for mischief.

And, while the intrusion that had been turned around at 8 AM was still available to hackers.  Which is exactly what happened that afternoon around 1:30 PM. Again, the hacker was dumping in lye (sodium hydroxide) to the water system.  Not the 100 mg/L dosage which would be normal to control the acidity, but to 11.1 g/L- 110X the normal levels.

Now, the water system avers that there are other checks in place that would have alerted others to the problem.  But, no proof was proffered to back up that claim.  As a matter of fact, this water system had just ‘completed’ a mandated (by the Feds) security-risk assessment less than 90 days ago.  But, had made no changes based upon said assessment!

This mandate is part of the changes effected in response to the America’s Water Infrastructures Act, enacted back in 2018.   The law requires the 542 water providers serving about 80% of the U.S. population (the larger communities) to do security-risk reviews and integrate findings into their emergency plans.  But, as Oldsmar shows- doing the risk assessment and integrating the findings into plant operations are separate events- not often effected.

The problem is compounded by the fact that no one knows if this was a domestic issue or a foreign operator- or why the Oldsmar plant was chosen for the hack.  Local police, the FBI, and the Secret Service are all investigating the issue.

Oldsmar is not alone- it’s one of some 542 such community water systems, where there are few repercussions if security is not maintained. And, those 542 systems are a drop in the bucket when we realize that there are 40000 other organizations, each serving less than 3300 customers that are not so regulated.  It gets better- the water systems only must certify they completed the assessment- they do not have to share the results of the audits with the federal regulatory agencies. (That also means these records are secret- unobtainable by the Freedom of Information Act.)

(Theoretically, our electric power grid has upgraded its rules since 2008- to ensure the physical and cybersecurity aspects of their systems.  But, the changes are not high enough to guarantee the safety of their systems.)

Oh, and since we are all working from home- tools such as Team Viewer have become ubiquitous on our sensitive infrastructure.

I, for one, am not assured that the hacker was only checking to see if he could make changes to the system.  (That would render this an opportunistic hack rather than a sophisticated attack.)

Especially since the price tag to upgrade our water supply systems is on the order of $ 750 billion!  (Back in 2018, $ 10 million was authorized to begin the upgrades- but the money was never appropriated!)