TARPON SPRINGS – After Pinellas County Sheriff Bob Gualtieri announced Oldsmar’s water treatment plant had suffered an “unlawful intrusion” of its software program Feb. 5, he urged other bay area municipalities with similar facilities to be vigilant and update their security measures.
“We’re asking all governmental entities within the Tampa Bay area that have critical infrastructure components to actively review their computer security protocols and make any necessary updates that are consistent with the most up-to-date practices,” Gualtieri said during a press conference on Feb. 8.
Tarpon Springs is one such municipality that has its own water treatment plant, and as a result of the Oldsmar breach, the city has been working hard to make sure their facility is safe, according to officials.
“The City of Tarpon Springs would like to reassure its utility customers of the safeguards taken to ensure the safety of our water supply in light of recent events with the City of Oldsmar’s water facility,” read a Feb. 9 post on Tarpon’s official Facebook page. “The city continuously reviews all systems and implements increased security measures regularly. We are confident in the multiple levels of security and safeguards in place. The City of Tarpon Springs is monitoring the investigation in Oldsmar and will be reviewing any additional findings and recommended improvements.”
According to Mayor Chris Alahouzos, Tarpon officials have been contacted by the law enforcement agencies working on the Oldsmar breach, though he declined to go into specifics of the discussions.
“The reason we posted the announcement on social media is to make sure everyone understands we are looking at everything without giving away any details,” Alahouzos said. “We want to give enough information for people to know what’s going on but keep the security measures we have in place private.”
The Oldsmar hack has received international news coverage due to the serious nature of what occurred. Gualtieri reported that a person remotely accessed the system for about three to five minutes, opening various functions, one of which controlled the amount of sodium hydroxide in the water. The hacker changed the amount from about 100 parts per million to 11,100 parts per million.
Sodium hydroxide, commonly known as lye, is the main ingredient in liquid drain cleaners and is also used to control water acidity and remove metals from drinking water in treatment plants. Fortunately, an alert plant worker noticed the suspicious activity and reported it to a supervisor, who immediately contacted the authorities. “Because the operator noticed the increase and lowered it right away, at no time was there a significant adverse effect on the water being treated. Importantly, the public was never in danger,” Gualtieri said.
According to Josiah Cox, president and founder of Central States Water Resources, threats against the nation’s water supplies have become more common in recent years, and he said many small communities don’t realize how vulnerable their facilities are to hackers and other dangers.
“Regarding the Florida situation, I commend the vigilance of the staff to catch something like that,” Cox said by phone, adding, “Small systems actually a lot of times are harder to run than larger systems, just because you don’t have the redundancies and larger staffs and the same resources. So that the fact that they were paying that close attention to what was going on was really awesome and shows how much they care.”
Cox, whose 7-year-old company is based in Texas and runs more than 250 water treatment facilities in five states, said he hasn’t had to deal with any software intrusions in his 20-plus years in the industry. But he said situations like the one in Oldsmar are at the forefront of everyone’s mind today.
“We’ve been getting warnings for the last year from both the EPA and state-level environmental regulators, and state-level utility regulators have been sounding the alarm saying, ‘Hey, this is a real risk out there,’” Cox said. “So, cybersecurity has definitely been on the forefront for the last year for sure.”
After noting a good cybersecurity network is considered to be the gold standard when it comes to protection, Cox admitted it’s not always an option for the country’s many small-town water facilities.
“I think it’s especially hard for the smaller communities to invest in the kind of cybersecurity necessary to protect critical infrastructure,” he said, noting there are more than 52,000 water and 35,000 sewer treatment facilities in the U.S. “I think it’s a real risk. And that’s why we’ve been hearing about it so much from the regulatory bodies in every state that you need to be super vigilant, because if you’re a hacker, you’re going to pick the small system. You’re going to go to a place that you think is the most vulnerable with the least amount of sophistication. So, hats off to (Oldsmar) that they were paying that close attention.”
Cox added without the vigilance and redundancies in place, the situation could’ve been devastating.
“Absolutely,” he said. “Those chemicals are needed for water treatment, but at higher levels they are toxic. So, there’s a real danger there at a certain point.”