Breach, Critical Infrastructure Security, Data Security, Network Security

Krebs: Oldsmar water treatment plant’s security is ‘rule, not the exception’

At a hearing in the House Homeland Security Committee Thursday, former director of the Cybersecurity and Infrastructure Security Agency Christopher Krebs said that the security of a hacked Oldsmar, Florida, water treatment plant was "probably the rule, not the exception."

The Oldsmar attack was notable because a hacker attempted to poison the water supply. The attack did not succeed in that goal, but the hacker did hijack a remote access system used by employees at the city’s water treatment plant.

Among CISA's responsibilities at the Department of Homeland Security is to handle several kinds of public/private and federal/local partnerships in infrastructure cybersecurity.

"These are municipal utilities that do not have sufficient resources to have robust security programs. That's just the way it goes," Krebs told the committee. "They don't have the ability to collect revenue at a rate enough to secure their deployments. When you have the internet, it's supposed to make things easier; it's supposed to make things more manageable. And so now all of a sudden it's a security threat."

Krebs suggested a multipronged approach to shoring up municipal utilities, including adding funding to update aging technology. (The Oldsmar plant, reportedly, ran Windows 7 computers in this Windows 10 world). He also called for more education of staff.

He added that it was too early to speculate as to the cause or motive of the attackers at this point.

"I think it's possible that this was an insider a or a disgruntled employee. It is also possible that it was a foreign actor," Krebs said. "This is why we do investigations. But we should not immediately jump to a conclusion that it is a sophisticated foreign adversary."

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.
Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds