As you probably read or heard last week, the small city of Oldsmar, Florida, population 13,500, narrowly escaped a disaster from a cyber attack.
A hacker manipulated the Lye ratio in the water system of the city near Tampa using the remote access tools the city’s water department deploys to remotely manage the chemicals that make the city’s water safe to drink.
The story doesn’t tell us as much about the vulnerability of our nation’s critical utilities, however, as it does about what can happen when municipalities and businesses cut corners on the technology they use.
Oldsmar turned out to be fortunate in this case.
First, the hacker chose to access the system during working hours in full view of on-site staff, who immediately alerted their superiors to the attempts to drastically change the lye content in the water. Had the hacker attempted to do this after hours, the problem might not have been caught until the next morning.
Second, the water plant still remotely accesses the system with Windows 7 32-bit computers a year after Microsoft retired that operating system and declared it unsafe, but that was the least of the plant’s security transgressions.
The computers used to access the plant’s treatment control system shared the same password for remote access. In addition, all appeared to be directly connected to the Internet without a firewall.
Budget concerns justifiably come into play with cyber security measures at small municipalities, just as they do for small businesses.
But using different passwords, changing them from time to time, installing a firewall, and implementing multi-factor authentication offer low-cost protection that any organization can afford.
Another cost-effective measure would be cyber security awareness training for employees and management.