Politics: Cybersecurity and your water: Hacker attempted to poison Florida city's water supply

Langevin hopeful new Armed Services panel will shine new spotlight on cybersecurity

  Langevin hopeful new Armed Services panel will shine new spotlight on cybersecurity Rep. Jim Langevin (D-R.I.), the newly minted chairman of the House Armed Services Committee's new cybersecurity subcommittee, is looking to bring a new spotlight to the nation's defensive cyber capabilities and international cyber diplomacy. Langevin, a long-time House leader on cybersecurity issues, told The Hill during a phone interview that his aim is to support a 21st century defense posture, and expressed confidence that after the biggest cyber espionage event in U.S. history, the level of focus on cybersecurity from both sides of the aisle would remain high.

An unknown hacker remotely accessed the chemical controls of a water treatment plant in the City of Oldsmar, near Tampa, Fla., earlier this month. This breach is a reminder that the country's water infrastructure is poorly secured in cyberspace - and that vulnerabilities in this critical system pose real world consequences.

Cybersecurity and your water: Hacker attempted to poison Florida city's water supply © iStock Cybersecurity and your water: Hacker attempted to poison Florida city's water supply

Upon gaining access to the system, the hacker increased the amount of sodium hydroxide in the water to dangerous levels. Sodium hydroxide is lye and the main ingredient in drain cleaner. At high levels, it would have poisoned the city's drinking water. The hacker breached the network through TeamViewer software, a commonly used program for remote system maintenance. Industrial control systems cyber experts speculate that the hacker used stolen credentials.

Hillicon Valley: Biden to take 'executive action' to address SolarWinds breach | Facebook and Google respond to Australian proposed law | DOJ charges North Korean hackers with stealing $1.3 billion in cryptocurrency

  Hillicon Valley: Biden to take 'executive action' to address SolarWinds breach | Facebook and Google respond to Australian proposed law | DOJ charges North Korean hackers with stealing $1.3 billion in cryptocurrency Welcome to Hillicon Valley, The Hill's newsletter detailing all you need to know about the tech and cyber news from Capitol Hill to Silicon Valley. If you don't already, be sure to sign up for our newsletter by clicking HERE. Follow our cyber reporter, Maggie Miller (@magmill95), and tech team, Chris Mills Rodrigo (@chrisismills) and Rebecca Klar (@rebeccaklar_), for more coverage.Biden will be rolling out action to address cybersecurity following the recent Russian hack, while the Justice Department announced major indictments against North Korean hackers.

As Samantha F. Ravich, our colleague at the Foundation for Defense of Democracies, observed last June, remote access applications and other types of programs and technology may "reduce costs, enhance efficiencies, and improve quality," but because water utilities are "not implementing security systems and processes" in parallel, these programs also introduce vulnerabilities.

Fortunately, the Florida hacker accessed the system during normal business hours (the hack occurred at 8 a.m. and 1:30 p.m. local time) when an operator was sitting at the monitor. That operator's observations and subsequent actions prevented disaster. A stealthier hacker would not have been so sloppy.

At a press conference, Sheriff Bob Gualtieri and other local officials were quick to reassure the public that the operator immediately detected and reversed the hacker's actions before additional chemicals were added and that alarms in the system would have sounded before tainted water reached the public. What these officials did not mention is whether these alarms are hard-wired or whether a hacker could have remotely accessed and altered or disabled them.

Texas storm: Nearly half of Texans remain under boil-water advisories as water scarcity and freezing temps continue

  Texas storm: Nearly half of Texans remain under boil-water advisories as water scarcity and freezing temps continue As Texas begins restoring power after a devastating series of outages during a week of freezing temperatures and winter storms, the state is confronting a new crisis: overwhelmed water systems that could extend misery for a vast swath of the population. © THOMAS SHEA/AFP/Getty Images A man looks for information on his cell phone as he rest at the George R. Brown Convention Center on February 17, 2021, in Houston, Texas. - A winter storm has caused rolling black-outs through out the Houston and the surrounding areas for the past 48 hours.

Despite the city's success at preventing the worst from happening, this is also a story of cyber failures.

The operator observed another person accessing his computer early in the morning but did not report an intrusion, because he assumed the person was his supervisor. He did not find it suspicious that the person used TeamViewer even though the utility had switched to a different software six months prior. Had the operator utilized best practice training for cyber hygiene, which would have taught him that he should talk to his supervisor to confirm the observation of an apparently routine remote access, he could have alerted security personnel five hours earlier during the first observed intrusion.

At this point, that 8 a.m. intrusion is the first known breach, but when asked by reporters if the hacker had access to the system before Feb. 5, city manager Al Braithwaite could only confirm that investigators are looking at past logs to try to determine.

Huawei backs supply chain security standards in wake of SolarWinds breach

  Huawei backs supply chain security standards in wake of SolarWinds breach Chinese telecommunications giant Huawei is backing the idea of tough global cybersecurity standards of critical supply chains, in particular following a recently uncovered major breach of many U.S. federal agencies. "Set up global standards that are very toughso that you have a hard baseline of good cybersecurity practices and thresholds and criteria, so you don't have to go to bed at night worrying about your supply chain, whether you are a consumer, whether you are the customer, or whether you're the government," Don Morrissey, Huawei's head of Congressional, State and Local Government Affairs, told The Hill during a virtual interview on Thursday.

When asked if similar attacks had occurred "at other agencies around the country," Braitwaite said he was unsure. In fact, however, a year earlier, a South Carolina water utility suffered an attack that disabled its online payment systems. In 2019, a ransomware attack hit a small water utility in Colorado. In 2015, the water industry reported the third-most cyber incidents behind critical manufacturing and energy.

The United States has more than 148,000 public water systems and more than 70,000 water and wastewater utilities. Many of these facilities "lack the required technical and financial capabilities to address all emerging risks, such as cyber risks," according to a 2016 National Infrastructure Advisory Council Report.

The situation has not improved over the past five years.

The Cyberspace Solarium Commission concluded in March 2020 that "water utilities remain largely ill-prepared to defend their networks from cyber-enabled disruption." In fact, the former chief technology officer for the state of New Jersey called water and wastewater "probably the least mature sector [of 16] from a cybersecurity standpoint."

Cybercrime groups are selling their hacking skills. Some countries are buying

  Cybercrime groups are selling their hacking skills. Some countries are buying Nation-state hacking groups don't need to do the work themselves anymore: they can hire criminal gangs to breach targets for them - with the added bonus that it's harder to trace the attack back to them, say researchers.Cyber-criminal hacking operations are now so skilled that nation-states are using them to carry out attacks in an attempt to keep their own involvement hidden.

As the sector-specific agency (SSA) and risk manager for the water and wastewater industry, the Environmental Protection Agency (EPA) is responsible for identifying and assessing cyber risks to the industry. The EPA's cybersecurity budget, however, is a fraction of that of the Department of Energy, the SSA for the closest comparable lifeline sector.

Senators did not ask EPA administrator nominee Michael Regan any questions about - nor did he offered his assessment of - the cybersecurity of the water industry, during his three hour confirmation hearing in early February. Regan and the senators discussed the need for investment in water infrastructure in the context of quality, climate change, economic development, and smarter systems - but not about the security of these systems.

Municipal governments own more than 80 percent of U.S. water systems and more than 95 percent of waste water systems, but most of these local governments lack the resources to make the needed cybersecurity investments. The EPA, in partnership with the Department of Homeland Security, should explore creating a grant program that would specifically assist local governments protect this critical infrastructure.

The City of Oldsmar had the good fortune to mitigate an attack by an unsophisticated hacker. Next time, we may not be so lucky.

Retired Rear Admiral Mark Montgomery is a senior fellow at the Foundation for Defense of Democracies (@FDD), senior director of FDD's Center on Cyber and Technology Innovation (CCTI), and senior advisor to the Cyberspace Solarium Commission. Annie Fixler is deputy director of CCTI. Follow the authors on Twitter @MarkCMontgomery and @AFixler. FDD is a Washington, D.C.-based, nonpartisan research institute focusing on national security and foreign policy.

How to work with Vault Secrets Engines .
Jack Wallen shows you how to create both local and AWS secrets engines with Hashicorp's Vault.One of the biggest security issues in development is leaving secrets within code. With passwords, encryption keys and API keys left in code, hackers could easily gain access to your data, your network, or the services you use. To that end, it's imperative that developers make use of all the tools available to secure their code.

See also