Don’t Drink That! What Florida’s Water System Attack Can Teach Us About Cyber’s Deadliest Threats

Cyber security risk has become a prominent threat for companies and businesses alike. Many fear that a cyber attack could result in loss of information or data. But a recent cyber security breach at a water treatment facility in Florida has made it clear that no entity is safe. 
By: | March 7, 2021

The recent breach of a water treatment facility in Florida has raised the eyes of municipalities around the country. Malicious actors were not only able to breach a system but also changed chemical levels in the water that nearly poisoned the city’s drinking water.

Cyber security experts say limited resources and low prioritization of security is leaving many facilities at risk.

Administrators must stay aware of the growing risks, establish a stronger culture of security and support procurement processes that enable them to more quickly respond to the threats.

A Critical Attack on a Water Treatment Plant

In early February 2021, hackers breached the industrial control systems of a water treatment plan in Oldsmar, Fla.

They ultimately changed the level of lye in the system, which lead to a rise in the sodium hydroxide level from 100 parts per million to a highly dangerous level of 11,100 parts per million. While the breach was discovered before it was able to reach the homes of residents, the attack could have had disastrous consequences, experts say.

Chris Grove, CISSP, NSA-IAM, product evangelist, Nozomi Networks

While authorities haven’t yet identified the perpetrator, the seriousness of the crime is concerning to municipalities across the country, says Chris Grove, CISSP, NSA-IAM, product evangelist at Nozomi Networks.

“The fact that the attacker was able to get through the first layer of what you would think would be defense and went right up on and testing the next layer should be very concerning for any critical infrastructure operators,” said Grove.

Authorities are still trying to determine who the attacker was and what their motivation was, but Grove noted there were multiple cyber security lapses that could have been used.

A federal advisory authored by the FBI, the Cybersecurity and Instructure Security Agency, the U.S. Environmental Protection Agency, and the Multi State Information Sharing and Analysis Center noted the breach could have been enabled by outdate Windows software and “poor password security.”

A Growing Risk for Municipalities

Attacks like these have long been feared by cyber security experts.

A report by KnowBe4 found that municipalizes are ideal targets for criminals, because they provide essential services to citizens. They have often been targeted with ransomware, and between 2017 and 2020, victimized municipalities paid an average ransom of $125,697.

From school systems to police departments and utilities, such incidents have been a growing concern to security and finances, said Wade Chmielinski, staff vice president and group manager cyber consultant at FM Global.

Yet as proven by the Florida incident, the vulnerabilities of unprotected systems could lead to far more dire consequences than only financial losses.

Part of these vulnerabilities have expended do to digital transformation and the movement to new systems that enable workers to monitor chemical levels and pressure from remote locations. COVID-19 led many municipalities to further move to remote systems and quickly jump into new solutions with less oversight than they may have had in traditional times, said Grove.

For some, this mean adopting new remote access programs that may have not had proper security measures, like two-factor authentication, a firewall, or even basic network segmentation. Cyber security has been made more of a “reactionary thing” than a driving force the past year, he said.

“With COVID, people are forced into making decisions they wouldn’t have made otherwise. There’s probably someone at home with some access to a remote plant somewhere that wasn’t pre-COVID,” said Grove.

While critical infrastructure attacks aren’t new, they have typically been targeted at utilities and big cities with better security in their industrial control systems.

Yet Grove noted cyber security isn’t always a top priority for smaller city administrators who are often hamstrung between things like new schools, parks or bulletproof vests for police.

“Cyber security for the wastewater facility isn’t always at the top of the list for taxpayers,” Grove said. “The folks who are out there are trying to do their best with it [and] are getting a lot of balance over things that are going on, but they’re powerless to make the purchase to do it right.”

One of the first things a municipality can do is to foster an environment with top-down support. The most effective measures are when there’s a leadership decision that enables them to do it securely and put resources behind it. Management must drive the culture of awareness by keeping a pulse on security, talking in front of the organization and taking the lead.

“It’s the executive’s responsibility to change the culture,” said Grove.

Municipalities must also refine their procurement processes to act more quickly to evolving threats, Chmielinski added. As cyber attack strategies can often change overnight, they can’t always afford to wait a year or more to acquire a new tool, security solution, or consult with a third-party.

“You need some kind of way to quickly create an incident response plan. The bureaucracy and red tape make it a lot more challenging,” Chmielinski said. &

Craig Guillot is a writer and photographer, based in New Orleans. He can be reached at [email protected].

More from Risk & Insurance