Oldsmar Florida Water Utility was hacked by cyber criminals. (In case you missed it https://www.tampabay.com/news/pinellas/2021/02/08/someone-tried-to-poison-oldsmars-water-supply-during-hack-sheriff-says/) The obvious question for me is why? Many are responding to that question with the obvious answer – to do evil, to poison the public. That we agree on. But I am asking a deeper question, WHY? Why Oldsmar? Why the water Utility?
Before we delve into any of those questions, I have no inside information and have not been privy to any of the investigative information. I am making some logical assumptions.
Why? On that there is very little debate – evil people are among us. Some would do anything to terrorize the public. At some point, an agenda may surface that will let the public know of the ideology of this person or group of people. I think it goes without saying that these hackers have gained the public’s attention and are eliciting a response – maybe the response they were hoping to attain.
Why Oldsmar Florida? Oldsmar is a small town; population is less than 20,000. The City sits between Tampa, Clearwater and Saint Petersburg. While it sits at the corner of the I4 corridor, it is not a booming metropolis. Which again begs the question why Oldsmar? Oldsmar is like many small communities across the country. The water utility is used to provide a critical service to the public and provide a revenue source for the city. A small public utility may or may not have the cyber security needed to protect the SCADA system that controls automation of the utility. Many small utilities are not using the most up to date defenses. For that reason, these utilities become a glaring target for cyber criminals that have decided to do harm to the public.
Why was the water utility targeted? Again, I have no specific knowledge of this attack, but I have been saying for years that the public is enamored by protecting the electric grid. The electric grid must be protected but water and wastewater cannot become an afterthought. I would argue that if a criminal wanted to impact the public, disabling or damaging the water and wastewater systems are far more debilitating to the public than the electric grid. Think about yourself – How long can you go without electricity? While it will be frustrating and difficult, most can reasonably go a week or two without electricity. How long can you go without water? How long can you go without flushing your toilets? A day? Maybe two? Depending on where you live, life would become incredibly difficult and even hazardous without water for even a few days. To take it a step further, assume the cyber criminals had achieved access of the sewer system and put the pumps in reverse. Pretty nasty to think about, but how long could you remain in your home if your toilet was flowing the wrong way? I am guessing not even a day. The point – our nations water and wastewater systems are vulnerable and can create immeasurable harm to the public and to the environment.
An even deeper question. Again, why Oldsmar Florida? Purely speculation, but I would argue that Oldsmar was not really the target. Oldsmar was either an opportunity to make a point or Oldsmar Florida was a practice event with larger and more precise events to follow. Attacking a small utility might be a dry run for future attacks against larger more concentrated populations. Next time it might not be lye that is used. It might be something far less likely to be noticed.
In order to be prepared, utilities of all sizes should examine the cyber security practices and defenses that are deployed. The next utility attacked could be your utility.