As the investigation continues into the hacking of Oldsmar’s water system, security experts are telling Congress that the federal government needs to do more to help cities and counties fend off cyberattacks.
Christopher Krebs led the Cybersecurity and Infrastructure Security Agency in the Trump administration. He says a foreign government could have hacked Oldsmar’s water system, or it could have been a disgruntled employee.
Krebs told the House Homeland Security Committee on Wednesday that the federal government needs to invest in training for local government employees. And it needs to make sure municipal computer systems are up to date.
“I'll also say that Oldsmar is probably the rule rather than the exception,” Krebs said. “And that is not their fault. These are municipal utilities that do not have sufficient resources to have robust security programs. That's just the way it goes.”
An intruder accessed the control system for the city’s water plant twice on Feb. 5. The first intrusion didn’t raise suspicion, as city employees have remote access to the network.
During the second breach, the intruder raised the level of lye (sodium hydroxide) by a factor of 100. A plant operator immediately noticed the increase and reversed it. Lye is used in tiny amounts to remove metals from groundwater and improve its pH balance, but large concentrations are poisonous. The FBI and U.S. Secret Service are investigating.
The Associated Press reports the computers at Oldsmar’s water plant were running on an outdated version of Windows with a shared password and no firewall. The city and FBI declined to comment on the report.