Welcome

Water Plant Cyberattack Is Wake Up Call, 20 Years in the Making

Feb. 10, 2021, 10:00 AM

A cyberattack on a Florida water treatment plant underscores the need for strong security protections at the municipal level, attorneys and industry professionals say.

A hacker gained access to an Oldsmar, Fla. city computer on Feb. 5 and changed the level of sodium hydroxide, also known as lye, local authorities said. It isn’t yet known whether the breach originated from the U.S. or from outside the country. The Federal Bureau of Investigation is working with local authorities.

There’s been a “marked increase” in the last couple of years in cyber incidents against state and local government entities, said David Springer, a cybersecurity attorney at Bracewell LLP in Austin, Texas.

“A number of people have been calling this incident a wake-up call, but there have been reported attacks like this for 20 years now,” Springer said. “I’m glad it’s bringing attention to the security of industrial and municipal control systems.”

Water Systems Vulnerable

Vulnerability to cyberattacks varies across the 51,000 community water systems nationwide, said J. Alan Roberson, executive director of the Association of State Drinking Water Administrators.

“This needs to be elevated within the water sector,” because systems are too critical to be allowed to go down due to a cyberattack, he said.

The country’s largest water systems are the best prepared for cyberattacks because they’ve heavily invested in addressing security threats, Roberson noted.

One of the largest is American Water Works Company Inc., which said Tuesday that it acknowledges the severity of cyber threats and is working with state and federal agencies to prepare for them, spokesman Joseph Szafran said.

“American Water has a dedicated team of certified professionals who help maintain the cybersecurity of our informational and operational technology systems; safeguard the physical security of our staff, facilities and assets; and provide emergency response and business continuity activities,” Szafran said in an email.

Critical Infrastructure Risk

Guarding people’s privacy and protecting their personal information remains a top priority, but cyber hits to critical infrastructure should serve as reminders that bad actors can inflict real-world physical harm, said Paul Luehr, co-leader of Faegre Drinker Biddle & Reath LLP’s privacy and cybersecurity team.

“The Florida event shows cybersecurity isn’t always about personal data—it’s also about personal safety,” he said.

That a plant worker was able to quickly lower the chemical levels back to normal and prevent public harm reinforces how administrative, physical, and technical controls—including employee training—are vital to keeping systems secure, he said.

Critical infrastructure such as dams, power plants, and hospitals are attractive targets for bad actors and have increasingly been targeted in ransomware hits, said Greg Szewczyk, a privacy and cybersecurity partner at Ballard Spahr LLP in Denver.

It’s common for those types of entities to be targeted by nation-state actors, he said, but regardless of attacker type, businesses and municipal entities alike need to think about operational and organizational responsibilities, he said.

“They need to consider data security beyond the mere confines of guarding personal information,” Szewczyk said. “They should be regularly assessing cyber threats, identifying individual vulnerabilities, and adopting proper security measures.”

Tools Available

A cyberattack against a drinking water system emphasizes the need for water utilities to implement existing best practices, said Kevin Morley, manager of federal relations for the American Water Works Association.

The association provides its members with cybersecurity assessment tools that they should use following the Feb. 5 attack, Morley said.

“We would encourage those utilities to go do that assessment,” he said. “We are one of the many targets that various adversaries are seeking to take advantage of.”

The federal government through the Environmental Protection Agency and the Cybersecurity and Infrastructure Security Agency provides some tools water systems can use to assess their vulnerability, Roberson said.

But Roberson said EPA’s guidance is limited. The EPA provides an online vulnerability self-assessment tool that addresses cybersecurity and natural hazards, and a four-page brief on how states can address cybersecurity, he said.

The brief outlines how drinking water and wastewater systems can benefit from adopting a cybersecurity program.

“EPA has tools to assist water and wastewater utilities in preparing for, identifying, responding to, and recovering from cyber-attacks,” the EPA said in a statement provided by spokesman Nick Conger.

“To provide utilities with the most current resources, EPA has developed a website that utilities can reference to find the most updated alerts, information, and tools that may be used to improve cyber resilience,” the statement said.

CISA didn’t immediately respond to a request for comment Tuesday.

Compliance Insufficient

The Florida attack showed that a more sophisticated breach may go unnoticed, said Jerry Ray, chief operating officer of the security firm SecureAge Technology.

“Current regulations aren’t addressing real security threats that they’re faced with, this one being so low-level, so ham-fisted,” Ray said. “If this were a foreign adversary—someone with a real intent—those tracks wouldn’t be visible.”

Regulatory compliance and security safeguards most water utilities have in place are insufficient to protect them against future breaches, he said.

“Everything we’ve got in place is not enough,” Ray said. “Regulatory compliance is where you start.”

Municipalities should lean on state and federal resources to better their security systems, Springer said. Getting training and financial support from larger organizations can help them beef up their cybersecurity defenses, he said.

“There’s a very real risk of malicious actors getting into systems that control vital functions,” Springer said. “That’s not new—but it’s always a good time to refocus attention on it.”

The Biden administration has an opportunity in the wake of this attack to evaluate the nation’s collective defense model, said Evan Wolff, co-chair of Crowell & Moring LLP’s privacy and cybersecurity group.

“It’s going to take a coordinated and proactive response of organizations, the federal government, and the security community working together,” Wolff said.

To contact the reporters on this story: Jake Holland in Washington at jholland@bloombergindustry.com; Bobby Magill at bmagill@bloombergindustry.com

To contact the editors responsible for this story: Kibkabe Araya at karaya@bloombergindustry.com; Rebecca Baker at rbaker@bloombergindustry.com

To read more articles log in.

Learn more about a Bloomberg Law subscription.