water treatment plant (Kekyalyaynen/Shutterstock.com)

Warner wants answers on Florida water utility hack

The chairman of the Senate Select Committee on Intelligence wants more information from  the FBI and the Environmental Protection Agency about the recent cybersecurity breach at a Florida water utility.

Hackers took control of a computer at a water treatment plant in Oldsmar, Fla., and changed chemical controls to dump excessive amounts of lye into the drinking water. Plant personnel watched the intruder change the chemical levels and corrected the issue even before the system’s software flagged the change and alerted staff.

The Cybersecurity and Infrastructure Security Agency suggested in a Feb. 11 advisory notice  hackers were able to gain control of the facility through a remote desktop sharing application and exploiting vulnerabilities in the Windows 7 operating system, which Microsoft has stopped supporting.

"This incident has implications beyond the 15,000-person town of Oldsmar," Sen. Mark Warner (D-Va.) wrote in a letter to top officials at both agencies. "While the Oldsmar water treatment facility incident was detected with sufficient time to mitigate serious risks to the citizens of Oldsmar… future compromises of this nature may not be detected in time."

The senator is asking the FBI to update the investigation's progress and the EPA to review whether the treatment facility was compliant with the "most recent Water and Wastewater Sector-Specific Plan" as well as whether that plan needs to be updated.

The plan Warner is referring was created by the Department of Homeland Security and the Environmental Protection Agency in 2015 to outline the oversight of public water utilities and provide a blueprint for how they can strengthen their physical and cyber infrastructure.

Warner wants the agencies to confirm the government is "sharing timely threat information related to this incident with water and wastewater facilities, and other critical infrastructure providers across the United States," according to the letter.

The senator's letter also points out the attack highlights "broader security weaknesses" within the industrial control systems used by public utilities and the government in general.

Bryson Bort, a cybersecurity fellow at the R Street Institute, said the problem of government systems using outdated operating systems, like the Oldsmar facility did, is probably "widespread."

Industrial control systems are "built for a long operational lifecycle and the devices and software were developed on the [operating system] that was available at the time. As an OS goes end of life/unsupported, there is oftentimes no way to even provide an upgrade or a patch," Bort said.

This article was first posted to FCW, a sibling site to GCN.

About the Author

Justin Katz is a former staff writer at FCW.


Featured

  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected