A top Florida law enforcement official told Gov. Ron DeSantis and other state leaders Tuesday that "extremely lax" security at a municipal water plant northwest of Tampa allowed hackers to break into its computers to try to poison residents earlier this year.
The head of the Florida Department of Law Enforcement, Rick Swearingen, provided the unexpected update on the mysterious sabotage effort during a Cabinet meeting in Tallahassee. The criminal investigation continues in the case. No one was hurt.
Swearingen said his agency was promoting two-factor authentication – in which knowing a password alone is not enough to log into computers – to frustrate hackers. That appeared to confirm that the water plant in the town of Oldsmar wasn't using the security technology, which has been widely available for years.
Investigators previously said the plant was using widely available remote-control software, TeamViewer, shared a common password that allowed remote access to control computers and did not employ routine defensive technologies such as firewalls.
Swearingen told the governor and his Cabinet that he could not say much publicly about the water plant hacking, but his comments about two-factor authentication provided important clues about what happened behind the scenes in the high-profile case. He was responding to questions from Florida Attorney General Ashley Moody and Agricultural Commissioner Nikki Fried.
"God forbid, that was not caught at that time, that would have been disastrous,” Fried said. “Human lives could have been lost." She asked for "additional intel, or tell us where else you might be looking?"
Swearingen said he was limited in what he was willing to say in such a public forum.
“Some of the security measures were extremely lax that led to that incident,” he said. “We need to get the word out better on how to prevent these things. If we're fighting nation states, we're never going to win every battle, but there are some simple things we can do with regards to passwords, dual-factor authentication, things like that, that will limit the ability for bad actors to get access to some of those systems.”
Hacking investigations routinely take place under utmost secrecy. Disclosures about an industry’s security practices – or lack of them – can reveal weaknesses that other hackers might exploit, and revelations about negligent security can embarrass companies or government agencies and raise civil liabilities.
Swearingen’s remarks also were unusual because cyber investigators often are reluctant to make statements that imply hacking victims might have contributed blame for their own break-ins. He preceded his criticism about the water system’s lack of security by saying, “I don’t want to seem critical here.”
An unidentified hacker on Feb. 5 breached Oldsmar’s drinking water treatment center, which controls chemicals and other operations in the water system. A plant manager who was working at that time noticed that the hacker raised sodium hydroxide levels from about 100 parts per million to 11,100 parts per million. The manager acted immediately and restored the sodium hydroxide levels back to its original format. The water system serves about 15,000 customers.
Pinellas County Sheriff Bob Gualtieri said previously that the tainted water would have hit the system 24 hours after the change if the plant manager didn’t act, so the public was not in danger.
The plant’s computers used the Windows 7 operating system, which Microsoft discontinued supporting since last year, all computers had the same password for remote access and none was protected by firewalls, according to a cybersecurity advisory issued by the Federal Bureau of Investigation and the U.S. Cybersecurity and Infrastructure Security Agency. It speculated the hacker exploited the TeamViewer software, which the plant used for remote access.
Swearingen did not indicate to the governor whether investigators were close to identifying or arresting the culprits.
Two-factor authentication is a security enhancement that requires people to present two categories of evidence as they log in, according to the National Institute of Standards and Technology. One set of credentials might include a username and password, and the second might include a physical token on a USB device or a one-time code transmitted to a phone. It’s commonly available to consumers for use with email and social media services.
Oldsmar’s lack of security was a recipe for disaster, said Ming Chow, a Tufts University computer security professor. He said such facilities should use distinctive passwords and add a better authentication system for users.
“Not having two-factor authentication doesn’t help at all,” Chow said. “A password will always be broken given a matter of time.”
Cybersecurity consultant Christopher Bradley of Tampa said the plant also should focus on firewall protection and an updated operating system.
This story was produced by Fresh Take Florida, a news service of the University of Florida College of Journalism and Communications. The reporter can be reached at smatat@freshtakeflorida.com.