Cybersecurity

Warner seeks answers from FBI, EPA on Florida water utility breach

Mark Warner SSI hearing flickr  

The chairman of the Senate Select Committee on Intelligence is calling on the FBI and the Environmental Protection Agency to provide more information about the cybersecurity breach at a Florida water utility earlier this month.

Hackers on Feb. 5 sought to add dangerous amounts of lye to potable drinking water at a treatment facility in Oldsmar, Fla. The Cybersecurity and Infrastructure Security Agency said in an advisory notice last week hackers were able to gain control of the facility through a desktop sharing application and exploiting vulnerabilities in the Windows 7 operating system, which Microsoft has stopped supporting.

"This incident has implications beyond the 15,000-person town of Oldsmar," Sen. Mark Warner (D-Va.) wrote in a letter to top officials at both agencies. "While the Oldsmar water treatment facility incident was detected with sufficient time to mitigate serious risks to the citizens of Oldsmar… future compromises of this nature may not be detected in time."

The senator is asking the agencies for an update on the investigation's progress, the EPA to review whether the treatment facility was compliant with the "most recent Water and Wastewater Sector-Specific Plan" as well as whether that plan needs to be updated.

The plan Warner is referring was created by the Department of Homeland Security and the Environmental Protection Agency in 2015 to outline the oversight of public water utilities and provide a blueprint for how they can strengthen their physical and cyber infrastructure.

Warner wants the agencies to confirm the government is "sharing timely threat information related to this incident with water and wastewater facilities, and other critical infrastructure providers across the United States," according to the letter.

The senator's letter also points out the attack highlights "broader security weaknesses" within the industrial control systems used by public utilities and the government in general.

Bryson Bort, a cybersecurity fellow at the R Street Institute, told FCW the problem of government systems using outdated operating systems, like the Oldsmar facility did, is probably "widespread."

Industrial control systems are "built for a long operational lifecycle and the devices and software were developed on the [operating system] that was available at the time. As an OS goes end of life/unsupported, there is oftentimes no way to even provide an upgrade or a patch," Bort said.

About the Author

Justin Katz covers cybersecurity for FCW. Previously he covered the Navy and Marine Corps for Inside Defense, focusing on weapons, vehicle acquisition and congressional oversight of the Pentagon. Prior to reporting for Inside Defense, Katz covered community news in the Baltimore and Washington D.C. areas. Connect with him on Twitter at @JustinSKatz.


Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected