At a hearing in the House Homeland Security Committee Thursday, former director of the Cybersecurity and Infrastructure Security Agency Christopher Krebs said that the security of a hacked Oldsmar, Florida, water treatment plant was "probably the rule, not the exception."
The Oldsmar attack was notable because a hacker attempted to poison the water supply. The attack did not succeed in that goal, but the hacker did hijack a remote access system used by employees at the city’s water treatment plant.
Among CISA's responsibilities at the Department of Homeland Security is to handle several kinds of public/private and federal/local partnerships in infrastructure cybersecurity.
"These are municipal utilities that do not have sufficient resources to have robust security programs. That's just the way it goes," Krebs told the committee. "They don't have the ability to collect revenue at a rate enough to secure their deployments. When you have the internet, it's supposed to make things easier; it's supposed to make things more manageable. And so now all of a sudden it's a security threat."
Krebs suggested a multipronged approach to shoring up municipal utilities, including adding funding to update aging technology. (The Oldsmar plant, reportedly, ran Windows 7 computers in this Windows 10 world). He also called for more education of staff.
He added that it was too early to speculate as to the cause or motive of the attackers at this point.
"I think it's possible that this was an insider a or a disgruntled employee. It is also possible that it was a foreign actor," Krebs said. "This is why we do investigations. But we should not immediately jump to a conclusion that it is a sophisticated foreign adversary."