Water treatment plant vulnerable to hack attacks directed towards Bay area: FBI report

The Federal Bureau of Investigation is looking into a hacker's attempt to poison an unnamed San Francisco Bay Area water treatment plant in January. According to a private report compiled by the Northern California Regional Intelligence Center in February and seen by NBC News, the hacker had the username and password for a former employee's TeamViewer account, a popular program that lets users remotely control their computers.

After logging in, the hacker, whose name and motive are unknown and who hasn't been identified by law enforcement, deleted programs that the water plant used to treat drinking water. 

The hack wasn't discovered until the following day, and the facility changed its passwords and reinstalled the programs.

the report, which did not specify which water treatment plant had been breached, stated, "No failures were reported as a result of this incident, and no individuals in the city reported illness from water-related failures". 

The incident, which has not been previously reported, is one of a growing number of cyberattacks on U.S. water infrastructure that have recently come to light. The Bay Area attack was followed by a similar one in Oldsmar, Florida, a few weeks later. In that one, which made headlines around the world, a hacker also gained access to a TeamViewer account and raised the levels of lye in the drinking water to poisonous levels. An employee quickly caught the computer's mouse moving on its own and undid the hacker's changes.

Water treatment plant- US' critical infrastructure 

U.S. water infrastructure does have some built-in security, most notably its lack of centralization. But that also means there's no simple solution to safeguard water facilities. The Bay Area case is still under FBI investigation. It's still unknown how the hacker or hackers got access to those TeamViewer accounts. But a staple of dark web forums is hackers buying, repackaging and selling login credentials.

Kent Backman, a researcher at the cybersecurity company Dragos, said, "The usernames and passwords for at least 11 Oldsmar employees have been traded on the dark web". 

Mike Keegan, an analyst at the National Rural Water Association, a trade group for the sector, said, "It's really difficult to apply some kind of uniform cyber hygiene assessment, given the disparate size and capacity and technical capacity of all the water utilities".

He added, "You don't really have a good assessment of what's going on".

Bryson Bort, a consultant on industrial cybersecurity systems said, "Unlike the electric grid, which is largely run by a smaller number of for-profit corporations, most of the more than 50,000 drinking water facilities in the U.S. are nonprofit entities. Some that serve large populations are larger operations with dedicated cybersecurity staff. But rural areas in particular often get their water from small plants, often run by only a handful of employees who haven't dedicated cybersecurity experts". 

He informed, "They're even more fragmented at lower levels than anything we're used to talking about, like the electric grid," he said. "If you could imagine a community centre run by two old guys who are plumbers, that's your average water plant."

Need for a cybersecurity audit

There has never been a nationwide cybersecurity audit of water treatment facilities, and the U.S. government has said it has no plans for one. While a few individual facilities can ask the federal government for help to protect themselves. Hacks can take years to come to light if they do at all as it's up to individual water plants to protect themselves, and even if they're aware they've been hacked, they might not be inclined to tell the federal government, much less their customers. 

Cybersecurity and Infrastructure Security Agency, the federal government's primary cybersecurity defence agency, is tasked with helping secure the country's infrastructure, including water. But it doesn't regulate the sector and is largely confined to giving advice and assistance to organizations that ask for it.

Planning ahead

A spokesperson said, though no dates have been announced, the White House plans to launch a voluntary cybersecurity collaboration between the federal government and water facilities, similar to one announced with the energy industry in April. 

However, experts said that no one claims any government initiatives can make American water entirely safe from hackers. 

(Image credit:  PIXABAY)