Water treatment plant vulnerable to hack attacks directed towards Bay area: FBI report

Federal Bureau of Investigation is looking into a hacker's attempt to poison an unnamed San Francisco Bay Area water treatment plant in January. According to a private report compiled by Norrn California Regional Intelligence Center in February and seen by NBC News, hacker h username and password for a former employee's TeamViewer account, a popular program that lets users remotely control ir computers.

After logging in, hacker, whose name and motive are unknown and who hasn't been identified by law enforcement, deleted programs that water plant used to treat drinking water. 

hack wasn't discovered until following day, and facility changed its passwords and reinstalled programs.

report, which did not specify which water treatment plant h been breached, stated, "No failures were reported as a result of this incident, and no individuals in city reported illness from water-related failures". 

incident, which has not been previously reported, is one of a growing number of cyberattacks on U.S. water infrastructure that have recently come to light. Bay Area attack was followed by a similar one in Oldsmar, Florida, a few weeks later. In that one, which me helines around world, a hacker also gained access to a TeamViewer account and raised levels of lye in drinking water to poisonous levels. An employee quickly caught computer's mouse moving on its own and undid hacker's changes.

Water treatment plant- US' critical infrastructure 

U.S. water infrastructure does have some built-in security, most notably its lack of centralization. But that also means re's no simple solution to safeguard water facilities.  Bay Area case is still under FBI investigation. It's still unknown how hacker or hackers got access to those TeamViewer accounts. But a staple of dark web forums is hackers buying, repackaging and selling login credentials.

Kent Backman, a researcher at cybersecurity company Dragos, said, " usernames and passwords for at least 11 Oldsmar employees have been tred on dark web". 

Mike Keegan, an analyst at National Rural Water Association, a tre group for sector, said, "It's really difficult to apply some kind of uniform cyber hygiene assessment, given disparate size and capacity and technical capacity of all water utilities".

He ded, "You don't really have a good assessment of what's going on".

Bryson Bort, a consultant on industrial cybersecurity systems said, "Unlike electric grid, which is largely run by a smaller number of for-profit corporations, most of more than 50,000 drinking water facilities in U.S. are nonprofit entities. Some that serve large populations are larger operations with dedicated cybersecurity staff. But rural areas in particular often get ir water from small plants, often run by only a handful of employees who haven't dedicated cybersecurity experts". 

He informed, "y're even more fragmented at lower levels than anything we're used to talking about, like electric grid," he said. "If you could imagine a community centre run by two old guys who are plumbers, that's your average water plant."

Need for a cybersecurity audit

re has never been a nationwide cybersecurity audit of water treatment facilities, and U.S. government has said it has no plans for one. While a few individual facilities can ask federal government for help to protect mselves. Hacks can take years to come to light if y do at all as it's up to individual water plants to protect mselves, and even if y're aware y've been hacked, y might not be inclined to tell federal government, much less ir customers. 

Cybersecurity and Infrastructure Security Agency, federal government's primary cybersecurity defence agency, is tasked with helping secure country's infrastructure, including water. But it doesn't regulate sector and is largely confined to giving vice and assistance to organizations that ask for it.

Planning ahe

A spokesperson said, though no dates have been announced, White House plans to launch a voluntary cybersecurity collaboration between federal government and water facilities, similar to one announced with energy industry in April. 

However, experts said that no one claims any government initiatives can make American water entirely safe from hackers. 

(Image credit:  PIXABAY)