© 2023 All Rights reserved WUSF
Play Live Radio
Next Up:
Available On Air Stations

One year after the Oldsmar water breach, some experts question the utility's cybersecurity

exterior of water treatment plant with American flag
City of Oldsmar
Investigators are trying to determine who broke into the computer system of the city of Oldsmar's water treatment plant.

Experts say some small cities, both Florida and nationally — as well as their utilities — lack proper cybersecurity.

A year after a cyberattack on the city of Oldsmar’s water system last year, experts are reflecting on the state of security for utilities around Florida.

The cyber breach of the water treatment plant, which took place on Feb. 5, 2021, raised concerns, as a hacker tried to poison the city’s water supply by increasing sodium hydroxide levels.

The next month, the head of Florida’s Department of Law Enforcement said that the water plant’s security was “extremely lax.”

Rick Swearingen said that a lack of security features such as two factor authorization and stronger firewalls made the water system’s technology vulnerable to attack.

A year later, many experts still feel the same way.

In an email, Tufts University computer security professor Ming Chow said he has “no confidence that utilities are doing anything to protect themselves.”

Among the problems he mentioned are weak passwords, and web infrastructure that continues to be used despite having problems “year after year.”

An additional shortcoming for utilities, according to another expert, is the size of the cybersecurity workforce.

“The cybersecurity industry is suffering from a talent deficit. There is a huge talent gap between supply and demand,” said Ron Sanders, staff director for the Florida Center for Cybersecurity. 

Sanders added that these smaller cities and counties have a more difficult time competing for skilled cybersecurity workers. On top of that, employees at smaller water treatment plants and similar utilities simply don’t know cybersecurity best practices.

Some of these “cyber hygiene” practices include stronger passwords, identity management, and multiple factor authorization.

Sanders also highlighted a new initiative from the White House to combat these issues. In a Jan. 27 announcement, the administration said the Industrial Control Systems (ICS) Cybersecurity Initiative will be extended to the water sector.

This involves developing and encouraging technologies that will help “monitor their systems and provide near real-time situational awareness and warnings.”

Sanders feels that the “silver lining” behind the Oldsmar water hack was the national spotlight it put on water treatment facilities and their computer security. He feels that a national plan like the ICS Initiative is a step in the right direction.

“That's one of the things that the government can and will do is identify and distribute those best practices and provide technical assistance to jurisdictions so that they can adopt and adapt those best practices to their own local circumstances,” he said.

Creating uniform government or cyber insurance requirements with some of these best practices, Sanders added, would also bolster the security of these utilities.

In addition, “cyber pooling,” or putting skilled cybersecurity workers in charge of multiple jurisdictions and pooling jurisdictions’ resources to finance it, is another option.

But the good news from all of this, according to Sanders is that “so many of these attacks can be easily thwarted.”

He said that with proper “cyber hygiene” practices, such as taking extra care when clicking on links, watching out for phishing attacks, and keeping password information secure, can help prevent almost 80% of attacks.

I am WUSF’s Rush Family Radio News Intern for spring 2022.