To the average person, most cybersecurity news might only sound relevant in the abstract. Network penetrations, stolen passwords, leaked files, and the like aren’t exactly the kind of things that create a headache for most of us. But like the nasty, sharp-edged expansiveness of the iceberg below the surface that you don’t see, so too are the frightening implications of so many of the security and hack-related news items that you’re not aware of — or that you don’t hear about until much later. Like, for example, the way a hacker nearly poisoned the water supply of another major US city, this time San Francisco, earlier this year.
NBC News revealed details of the heretofore unreported incident a few days ago, as part of a larger deep-dive into the disastrously porous state of the security associated with water supply systems around the US. In brief: On January 15, the week after the insurrection at the US Capitol that was still dominating national news headlines, a hacker embarked on this mission. Armed with a password and username for an employee’s TeamViewer account, this hacker logged into the San Francisco water system’s computer network remotely and started deleting programs associated with the treatment of drinking water.
NBC News credits these details to a private report prepared by the Northern California Regional Intelligence Center. The scary part was that the coast seemed to be pretty clear, with few if any impediments stopping the hacker from bringing the worst to fruition. However, the report only offers this vague denouement to the whole affair, noting that the hack was discovered the following day, the facility changed the login credentials, and that was that.
Based on the few details provided, in other words, it sounds like San Francisco got super lucky. “No failures were reported as a result of this incident, and no individuals in the city reported illness from water-related failures,” the report reads.
A sobering new survey from the WaterISAC finds a majority of the 52,000 separate drinking water systems in the U.S. still haven't inventoried some or any of their information technology systems – a basic first step in protecting networks from cyberattacks. https://t.co/ozr4TS2dSm
— briankrebs (@briankrebs) June 21, 2021
If this all sounds a little familiar, it should. That San Francisco Bay-area attack that no one heard about until now was followed by one that actually did end up making headlines around the US — and it, too, involved a hacker using TeamViewer credentials to try and poison the water supply of Oldsmar, Florida, by raising the levels of lye in the drinking water there. Luck played a part once again in stopping this, because an employee watched the hacker’s remote actions in real-time — watched, literally, as the hacker remotely moved the computer mouse around the employee’s computer screen, and was able to shut down the hacker’s attempted changes.
“If you could imagine a community center run by two old guys who are plumbers, that’s your average water plant,” industrial cybersecurity consultant Bryson Bort told NBC News, regarding the nature of security connected to these types of systems.
Along these same lines, cybersecurity journalist Brian Krebs reported a related and very sobering finding this week: That most of the 52,000 individual drinking water systems in the US “still haven’t inventoried some or any of their information technology systems — a basic first step in protecting networks from cyberattacks.” Per the Water Sector Coordinating Council, a survey of around 600 employees of water and wastewater treatment facilities around the country revealed that only 37.9% of utilities “have identified all IT-networked assets.”