By Beth Lawrence
A cyber-attack on a Pinellas County, Florida water provider brought to light the little considered possibility of terrorists using utilities to stage an attack.
Though the threat is very real, Tuckaseigee Water and Sewer Authority Director Daniel Manring believes Jackson County’s water is safe.
“We are confident with how our systems work and our protections in place,” he said. “We certainly discussed (the Florida hack) though.”
Part of Manring’s faith is placed in how TWSA’s system works.
Florida authorities believe the Oldsmar breach occurred due a cascade of oversights. The facility is alleged to have allowed outdated, disused remote access software to remain on the water system’s network, had the same password for all remote access accounts with no firewall safeguards and continued using the aging Microsoft Windows 7 operating system for which Microsoft discontinued updates and technical support.
When hackers gained access to the system, they attempted to adjust the level of sodium hydroxide, or lye, to more than 100 times the amount needed. Sodium hydroxide is used to raise water’s pH level, reducing acidity and minimizing corrosion in certain pipes, but in the right concentration it can be deadly.
That part of TWSA’s water treatment system does not allow remote access.
“In some systems, perhaps there is a need for operating remotely if allowed by their respective regulators,” Manring said. “However, our operations are conducted onsite only, without online operations.”
For the parts of TWSA’s operations that do operate online, the authority contracts with a private firm that takes security seriously, which Manring believes is a priority.
“Our IT folks are great at making sure only current employees have any access to TWSA computers or software with individual usernames and passwords,” he said. “From what I’ve learned of the Florida incident, that culture was not present and contributed to their issue. I believe a large part of vulnerability comes from not having an institutional culture that promotes security and safety. With IT matters, this is a top priority of the firm that handles our cybersecurity and is well implemented with TWSA employees.”
Manring acknowledges that no water system is 100 percent foolproof. Whether the system is in a rural area or a large city matters little. Each is vulnerable in unique ways.
A smaller, rural system could have less automation giving potential hackers little to interfere with digitally, but they may also not have the IT support that a larger, better-funded community might have.
On the other hand, larger water authorities systems could contain more automated functions and have more remote access, but they may also have in-house or contracted cybersecurity departments.
“As far as being targeted I would expect a larger system to be more appealing to criminals, but this is purely an assumption,” Manring said.