Following up on our December 2020 post regarding the SolarWinds cybersecurity breach, we wanted to provide a link to the February 11, 2021 joint Cybersecurity Advisory issued by the federal government. The Advisory—jointly authored by the FBI, U.S. Environmental Protection Agency, U.S. Cybersecurity & Infrastructure Agency and the Multi-State Information & Analysis Center, part of the nonprofit Center for Internet Security—comes on the heels of a cyberattack on the Oldsmar, Florida water treatment plant. On February 5th, a hacker gained access to the plant and increased the sodium hydroxide (commonly known as lye) in the water to a dangerous level, altering it from 100 parts per million to 11,100 ppm. Thanks to proactive staff action and system safeguards which were in place, the threat was averted and the public was never put at risk.
According to the Association of California Water Agencies (ACWA):
“The advisory states cyber actors likely accessed the system by exploiting cybersecurity weaknesses, such as an outdated operating system (Windows 7), and that it is possible a desktop sharing software (TeamViewer) may have been used to gain access to the system. Based on these findings and observations from other activity, the advisory includes threat overviews for desktop sharing software and Windows 7 end of life. These threat overviews discuss how cyber actors have been observed exploiting these systems for malicious activities."
"The advisory also includes a specific recommendations category for water and wastewater systems, which emphasizes the importance of installing independent cyber-physical safety systems. As the advisory notes, these are systems that physically prevent dangerous conditions from occurring if the control system is compromised by a threat actor. It observes that these types of controls can be of particular benefit to smaller systems, such as the one involved in the recent incident, which may have limited cybersecurity capabilities. The advisory also includes general recommendations and TeamViewer software recommendations.”
For additional insight on the continued use of the unsupported Windows 7 operating systems, please also see the recent Utility Dive article “Florida water utility hack reveals thousands of organizations vulnerable to Window 7 exposure.”
We will continue to monitor cybersecurity issues affecting the water sector and provide additional updates on the blog as warranted.
