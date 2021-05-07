When a water production facility in Oldsmar, Florida, had its computer systems hacked on Feb. 5, it sent shock waves through Homeland Security offices across the nation.
Water production plants and wastewater treatment facilities have long been on the list of facilities that could be targeted for terrorist attacks. A briefing on the Oldsmar attack that the Governor’s Office of Homeland Security and Emergency Preparedness (GOHSEP) released last month has them at 16 on its list of 17 critical infrastructure sectors — just above cyber.
In the Oldsmar incident, hackers were able to take control of software which controlled valves at the plant, opening up a tank of sodium hydroxide (better known as lye, a very caustic chemical used in drain cleaners and industrial cleaning products) and adding it to the facility’s water tank. Had it gone undiscovered, the hack would have raised the concentration of lye in the water to 200 times normal.
Could that sort of attack happen in the Teche Area? In the future, it could be possible. But for now, the same obsolescence that has communities being placed under boil orders on a regular basis is a shield of sorts from cybersecurity threats.
“We just got the ability to monitor our well,” said St. Martinville Public Works Superintendent Brian Touchet, who has responsibility for the city’s water production. “If you want to do anything on our system, you have to go to the plant and turn the valve yourself.”
The same issues exist for other facilities in the region. Automation of the sort that allowed the Oldsmar hack to occur just isn’t here. But that hasn’t stopped state officials from developing a plan for dealing with security as facilities upgrade.
According to GOHSEP, water and wastewater facilities are already under attack, although most of it is of the more traditional sort. Utilities have reported physical security incidents, but the types of activity that GOHSEP categorized included thefts (28 percent), threats (28 percent), surveillance or suspicious questioning (24 percent), and assault (10 percent).
According to the GOHSEP report, the biggest fear is not at the production facilities themselves but a direct attack, through injecting a substance into the water supply or blocking it, at a critical infrastructure and key resource (CIKR) like a federal courthouse. The experts also fear that a special event, such as a large sporting event or concert, could also be targeted using the water supply to the site.
In the months since the Oldsmar attack — which an attentive operator was able to manually thwart — agency heads have been looking at the ways that future attacks at the production source could be stopped before they start.
After the fact, investigators discovered that the high-tech automation, known as a supervisory control and data acquisition (SCADA), system of computers, sensors and actuators that allowed the Oldsmar hack to occur had been installed with absolutely no additional security added. Even the factory passwords remained unchanged, allowing anyone with basic knowledge of the system to walk right in.
That wasn’t the only issue. All of the computers workers at the plant used were connected to the SCADA system, regardless of whether they were essential or not. On top of that, they were all running Windows 7 — a system so old that Microsoft quit patching security holes in it as of January of last year.
If that weren’t enough, all of the plant’s computers shared the same remote access password and were exposed to the internet with absolutely no firewall protection.
So much of the response has focused on cybersecurity, the same sort of discipline that most people have experienced at work. Steps like avoiding phishing scams, changing passwords, and keeping sensitive information like access codes and passwords private are at the heart of the effort to prevent future attacks.
For now, though, the citizens of the Teche will have to be more concerned with a facility losing pressure and having to issue a boil order. If federal aid for infrastructure arrives and plants are upgraded to eliminate that threat, then cyber issues may come to the forefront.