Florida Water System Hack Offers Lessons for Other States

The Florida water system hack is still under investigation, but the worrisome details made national news and brought into question the security of the country’s critical, if oft-overlooked, infrastructure.

A digital padlock over a tech background.
Shutterstock/deepadesigns
(TNS) — Earlier this year, the plot of a spy thriller unfolded at a Florida water treatment plant.

Without warning, hackers breached the computer system operating the plant on Feb. 5, boosting treatment chemicals to dangerous levels. A water operator at the plant could only watch as a remotely controlled mouse drifted across his computer screen, skyrocketing levels of lye — a caustic chemical used to control water acidity and remove harmful metals from drinking water — from the usual 100 parts per million to a highly toxic 11,100 parts per million.

Luckily, the operator was able to restore chemical levels to normal once hackers exited the system, narrowly averting a disaster that could’ve poisoned 15,000 people in the small city of Oldsmar.

“Water systems, like other public utility systems, are part of the nation’s critical infrastructure and can be vulnerable targets when someone decides to adversely affect public safety,” Bob Gualtieri , the Pinellas County Sheriff, said days later, describing the attack at a press conference.

The Oldsmar hack is still under investigation, but the worrisome details made national news and brought into question the security of our critical, if oft-overlooked, infrastructure. In New Jersey, experts warn drinking water systems across the Garden State are exposed to the same threat.

The Garden State Network, the IT infrastructure on which the state government runs, faces an onslaught of 4 million cyberattacks each day, said Jared Maples , the director of the New Jersey Office of Homeland Security and Preparedness. Maples told NJ Advance Media the Garden State has been aggressive in strengthening cybersecurity standards and regulations for a variety of sectors.

“The country is running off of a lot of what we’re doing infrastructure-wise,” Maples said. “And because of that, I think we’ve been forced to adopt some of these principles well ahead of time.”

Last fall, for example, the Jersey City Municipal Utilities Authority was hit with a cyberattack that blocked access to “vital” information related to water and sewer services in New Jersey’s second-largest city. The incident was determined to have threatened the “health, safety, and welfare of the citizens of Jersey City,” according to a resolution passed by the agency’s Board of Commissioners in October, in which they hired an outside law firm to investigate the attack.

The Jersey City MUA did not respond to requests for comment for this story.

“There has been a marked uptick in cyber attacks, specifically over the last year, but really over the last several years,” Maples said. “The water industry is just as just a part of that, just like every other private sector and critical infrastructure.”

The Water Quality Accountability Act (WQAA,) which was passed by state lawmakers and signed by Gov. Chris Christie in 2017, requires that every drinking water system in New Jersey serving more than 500 customers meet cybersecurity standards.

“I think from a cyber side, if there were gaps, that act really cleared them up,” Maples said.

The WQAA requires water systems to join the New Jersey Cybersecurity and Communications Integration Cell, which is part of Maples’ office. To maintain membership, water systems must exhibit industry best practices, like cybersecurity training for staff and creating “air-gapped” networks to keep critical infrastructure separated from the Internet.

The hacked Florida system did not have an air gap, according to an advisory Massachusetts sent to its own water utilities.

Some large, private drinking water systems are regulated by the New Jersey Board of Public Utilities, an additional level of oversight. These water systems are subject to an order issued by the BPU in 2016, which requires them to stay in compliance with federal cybersecurity rules.

Under state law, any utility that violates a BPU order can be fined up to $100 for each day out of compliance. It is unclear if the BPU has ever issued fines for a utility that failed to meet the standard of that 2016 order.

Those BPU-regulated utilities comprise a small group of six companies: New Jersey American Water, SUEZ Water New Jersey, Aqua New Jersey, Dover Water Commission, Gordon’s Corner Water Company and Clinton Water . Those companies serves millions of customers across the state, but hundreds of other water systems — including every public system in New Jersey — are not overseen by the BPU and are not subject to the BPU order.

New Jersey water systems are required to send a report to either the DEP or the BPU each October stating whether or not they meet WQAA standards. But that process is flawed, hindered by a lack of enforcement from the DEP, leaving questions about how truthful water systems are in filling out the forms.

“Because the WQAA does not provide the DEP with authority to take enforcement action against systems that have not met the reporting requirements, no violations have been issued,” Caryn Shinske , a DEP spokesperson, said. “However, the DEP will continue to work to bring systems into full compliance to ensure continued protection of public health.”

And there’s a simpler problem: Some water systems just don’t fill out the forms. In 2018, the first year the forms were due, 16 water systems failed to send them to DEP. In 2019, that number grew to 25, and in 2020 it reached 26.

The BPU said all six of the water utilities it regulates have completed the forms in the past three years.

In Trenton, state lawmakers are pushing a new bill (S647/A4825) that would update the WQAA with stricter cybersecurity rules, and give Maples’ office enforcement authority to ensure water systems meet the new standards.

That bill has cleared the state Senate and is awaiting approval in the Assembly.

Maples said he supports the effort to update the WQAA, and any other efforts to strengthen cybersecurity in New Jersey. He said he office is always looking to better protect the state’s infrastructure.

“I think we’re throwing the kitchen sink at it,” Maples said. “We want to make sure we’re ahead of those that are behind (the threat).”

©2021 Advance Local Media LLC. Distributed by Tribune Content Agency, LLC.