Probably Something We Should Be Talking About More: Florida Public Water Utility Hacked

A Florida public water system was briefly hacked and flooded with dangerous levels of lye, though the breach was caught before any harm was done to citizens. Cybersecurity analysts have been warning about attacks on critical infrastructure.

A public water plant was hacked last week as hackers gained access to the software managing the system.

Hackers used remote desktop software, operated by the public water utility to control the water system off-site, to increase the amount of lye in the system to toxic and dangerous levels.
The breach has caused neighboring water infrastructure systems to beef up their cybersecurity, and is being characterized as a “wake-up call” by cybersecurity experts.
According to one report, security protocols were lax, as all accounts tied to remote access used the same password, and one cybersecurity expert warned many municipalities do not have the resources for dedicated IT or cybersecurity departments.
The FBI was contacted and began investigating the hack. Preliminary findings found the plant’s computer system was using an outdated operating system.

CNN’s reporting highlighted comments by local authorities, that it would have taken 24-36 hours for the water to reach the system” and that multiple stop-gaps are in place to send alerts when water quality is affected. These comments were not widely reported in other outlets.
The New York Times provided deeper background on the recent history of critical infrastructure hacks, noting Russian and Iranian hackers have been caught attempting to disrupt electrical and water utilities in the United States and other nations.
NBC News reported on concerns among federal officials about the danger lenient cybersecurity protocols pose to critical infrastructure.

OANN included Florida Senator Marco Rubio’s response, saying he’s urging federal law enforcement to assist in the investigation, calling it “a matter of national security.”
Fox News included a list of IT security measures managers of critical infrastructure should implement including updating software, using multi-factor authentication when logging in to systems, and creating complex passwords.
RedState offered skepticism that all is well, asking “if the public was never in any danger, why would it be necessary to check other nearby water systems?” while suggesting a military strike is warranted if it is determined to have been conducted by a foreign power.

Return to Freespoke