Following up on our December 2020 post regarding the SolarWinds cybersecurity breach, we wanted to provide a link to the February 11, 2021 joint Cybersecurity Advisory issued by the federal government. The Advisory—jointly authored by the FBI, U.S. Environmental Protection Agency, U.S. Cybersecurity & Infrastructure Agency and the Multi-State Information & Analysis Center, part of the nonprofit Center for Internet Security—comes on the heels of a cyberattack on the Oldsmar, Florida water treatment plant. On February 5th, a hacker gained access to the plant and increased the sodium hydroxide (commonly known as lye) in the water to a dangerous level, altering it from 100 parts per million to 11,100 ppm. Thanks to proactive staff action and system safeguards which were in place, the threat was averted and the public was never put at risk.
According to the Association of California Water Agencies (ACWA):
“The advisory states cyber actors likely accessed the system by exploiting cybersecurity weaknesses, such as an outdated operating system (Windows 7), and that it is possible a desktop sharing software (TeamViewer) may have been used to gain access to the system. Based on these findings and observations from other activity, the advisory includes threat overviews for desktop sharing software and Windows 7 end of life. These threat overviews discuss how cyber actors have been observed exploiting these systems for malicious activities."
"The advisory also includes a specific recommendations category for water and wastewater systems, which emphasizes the importance of installing independent cyber-physical safety systems. As the advisory notes, these are systems that physically prevent dangerous conditions from occurring if the control system is compromised by a threat actor. It observes that these types of controls can be of particular benefit to smaller systems, such as the one involved in the recent incident, which may have limited cybersecurity capabilities. The advisory also includes general recommendations and TeamViewer software recommendations.”
For additional insight on the continued use of the unsupported Windows 7 operating systems, please also see the recent Utility Dive article “Florida water utility hack reveals thousands of organizations vulnerable to Window 7 exposure.”
We will continue to monitor cybersecurity issues affecting the water sector and provide additional updates on the blog as warranted.
Willis Hon focuses on serving water industry clients across California on a broad range of administrative and regulatory matters. He has extensive experience before the California Public Utilities Commission where he has ...
California Water Views provides timely and insightful updates on the water sector in the state. We relay information on how water legislation and policy from the nation’s capital, Sacramento, and around the U.S. affect California’s water utilities, agencies, practitioners, and consumers. We also write about important events, conferences, legal cases, and other key happenings involving all things water in and around California.
Stay ConnectedRSS Feed
- Clean Up of Groundwater & Contaminated Media
- Climate Change
- Coastal Development
- Dam Construction, Operation & Removal
- Environmental Protection Agency
- Government Administration
- Groundwater Management & SGMA
- Inverse Condemnation & Regulatory Takings
- New Legislation
- Oceans, Marine Life & Maritime Transportation
- Project Construction
- Public Agency Regulation
- Recycled Water
- Regulatory Reform & Proposed Rules
- Right to Take
- Water Infrastructure
- Water Litigation
- Water Quality
- Water Rights
- Water Supply
- Water Utility Regulation