On Friday, February 5, a hacker breached the water plant serving Oldsmar, Florida and instructed it to increase the amount of lye in the water to extremely dangerous levels.

The Problem

The US's water supply is a massive, decentralized network of more than 54,000 local systems, run by local governments and small companies. While this makes it virtually impossible to corrupt the water supply at scale, it does open up the smaller water systems to incredible risks. Lacking money and human capital, these systems often rely on a single IT employee to manage everything from provisioning software to troubleshooting glitches to, you guessed it, cybersecurity.

Such was the case with the Oldsmar Water Division, whose entire IT department consists of one man, City Manager Al Braithwaite.

Oldsmar, a city of 15,000 just outside Tampa, may be the latest (known) victim of an industrial cyber attack, but it serves as a case study for thousands of other water, power, transportation, and communications systems throughout the country.

The Attack

The Oldsmar attack was frighteningly simple. All the hacker had to do was gain access to a TeamViewer account which allowed them to take full control of the plant's systems in one fell swoop. While it's unknown exactly how they were able to pull that off, some sort of social engineering attack was the probable route. As with the recent attempts to hack Tesla and NASA, hackers often rely on social hacking since humans, as opposed to most enterprise-grade software, are inherently vulnerable, and can be used to leapfrog entire cyber defense systems.

Once they breached the system, the hackers were able to access the program that controls the chemical levels for the underground reservoir that feeds water to the 15,000 individuals serviced by the plant. With just a few clicks, they increased the lye levels from 100 to over 11,000 parts per million, effectively poisoning the entire water supply.

Fortunately, this change was quickly noticed by an operator, who reverted the change, and then disabled remote system access. If left unnoticed, said Pinellas County Sheriff Bob Gualtieri, the lye would have seeped into the water supply in 24 to 36 hours.

And so, Oldsmar joins a growing list of industrial near-catastrophes that were averted simply by coincidence and sheer luck. Another notable example is the 2013 breach of the Bowman Dam system in NY which just happened to be offline at the time for maintenance. This hack was later tied to the Iranian Government.

The Solution

As we've extensively reported, the US continues to face widespread cybersecurity vulnerabilities in its public and infrastructure sectors. A study commissioned by the state of Mississippi revealed that "many state entities are operating like state and federal cyber security laws do not apply to them."

And, as we pointed out then, the solution must involve multiple actors. In this case, there needs to be increased federal aid and technical support, state incentives and oversight, and finally a bottom-up strategy to promote cyber-awareness. Any security strategy must create a dynamic of shared responsibility at its core if it is to be at all effective. This means introducing training workshops and awareness programs, along with funding and regulations, that shows employees that your organization or district takes cybersecurity seriously.

Information security cannot be contained in a set of regulations or handed off to a security department. To be effective, it must lead to a complete transformation in organizational priorities and culture.