Florida water hack shows infrastructure cyber weaknesses

A thwarted attempt by an unknown hacker to put lye into a small Florida city’s water treatment facility highlights the need for infrastructure operators to keep software updated and follow other cyber security measures, experts say.

The attack on the Oldsmar, Florida, water treatment facility will also likely lead underwriters to question operators more closely about their cyber security protocols, they say. 

On Feb. 5, a plant operator detected remote access to functions in the system that control the amount of sodium hydroxide, or lye, in the city’s water and successfully stopped it.

According to reports, the hacker gained access to the system through a remote access software, TeamViewer, that the city no longer uses, but which was still attached to the system. Oldsmar also used the Windows 7 operating system, for which Microsoft Inc. had stopped offering support a year ago. The attack was announced by the Pinellas County sheriff.

Christopher C. Krebs, former director of the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, testified before the Senate Homeland Security and Governmental Affairs Committee that the hacker may have been a disgruntled worker. Other experts suggest that an attack by a nation state would not have been so easily detected.

“This was not a sophisticated attack,” said Joseph R. Weiss, managing partner at Applied Control Solutions LLC in Cupertino, California.

Nor was the attack a surprise, experts say.

The “bad guys” have been looking at infrastructure, whether it is a water or power distributor, sewage plant or traffic lights for a long time, said Alan Brill, senior managing director with the cyber risk practice of Kroll LLC, an affiliate of Duff & Phelps LLC, in Secaucus, New Jersey.

The Oldsmar incident shows the need for a broader discussion on cyber risk for operational technology and industrial control systems, in addition to established information technology risks, said Allison Pan, Chicago-based senior vice president of emerging risks for Marsh LLC.

“Some of these systems have been in place for a long time, and a lot of them have not had IT security built in,” said Christopher Keegan, New York-based senior managing director and cyber and technology practice leader for Beecher Carlson, a Brown & Brown Co. unit.

Improving security may involve the installation of devices, rather than software, which makes updating the system more difficult in terms of the time and cost, he said.

The Florida incident “speaks to the fact that it is critically important to have technology in place, or controls in place, that can detect intrusions in real time,” said John Farley, New York-based managing director for Arthur J. Gallagher & Co.’s cyber liability practice.

Early detection gives operators more time to repel hackers before significant damage is done, he said. “It’s one of the best weapons in defending and mitigating cyberattacks.”

But there’s no simple answer, said William Beck, Kansas City, Missouri-based global cyber product and claims leader for Lockton Cos. LLC.

Organizations should focus their efforts “on their remediation or, more likely, replacing all those systems with new equipment that is built with security by design.” They also need to make sure the systems are adequately monitored, he said.

They should also determine what advanced protection techniques can be put into place, such as multi-factor authentication, and ensure that end-of-life software is segmented from the network, said Howard E. Panensky, vice president, team lead, for the New York metropolitan area for FINEX North America, cyber/tech/media/E&O at Willis Towers Watson PLC. 

Libby Benet, New York-based global chief underwriting officer for financial lines for Axa XL, a division of Axa SA, said utilities and infrastructure organizations should contact an organization that has established standards for operational technology cyber security, such as the International Society of Automation and the Department of Homeland Security, whose Cyber Physical Systems Security project addresses security concerns for cyber physical systems and internet of things devices.

Mr. Keegan said a complicating factor in addressing the management of this risk is, there may be a lack of clarity as to whether the company that manufactured the entity’s equipment, or the entity itself, is responsible for security, which can create confusion.

The Florida incident is unlikely to directly affect the cyber insurance market, but  “obviously, it may give underwriters some additional concern,” Mr. Farley said.