JACKSONVILLE, Fla. – JEA wants to reassure its customers that water treated at the utility’s facilities is safe to drink because of the layers of protocols in place.
At the JEA downtown water treatment facility, Kevin Holbrooks is the director of environmental compliance, and it’s his job to make sure the city’s water is safe. He said the attempted poisoning of drinking water at a treatment facility in the city of Oldsmar in Pinellas County is concerning.
“We know people are consistently trying to do this all the time. It’s a known fact. The fact that a hacker got through their security is a concerning thing,” Holbrooks said.
Authorities said a hacker gained access to Oldsmar’s water treatment plant in an unsuccessful attempt to taint the water supply with a caustic chemical. Pinellas County Sheriff Bob Gualtieri said Monday that someone was able to breach a computer system for Oldsmar’s water treatment plant on Friday. Gualtieri said the hacker briefly increased the amount of lye by a factor of more than 100. The sheriff said a supervisor saw the chemical being tampered with and was able to intervene and reverse it.
Holbrooks said JEA has multiple safeguards in place.
“Our systems are monitored 24/7. The feed rate is controlled remotely and can be controlled from the plant site. We operate on site, checking everything out on a daily routine basis. We have people out in the field monitoring field conditions, as well as remote sensors throughout our distribution system,” Holbrooks said.
JEA also has lab technicians and scientists who are constantly testing and analyzing water samples to make sure the water is safe to drink. In fact, on average, the water is tested more than 45,000 times a year.
When it comes to the computer system used to pump water and add chemicals to the water to make it drinkable, JEA could not provide specific details without compromising security, however, the utility did provide a statement that reads:
“In order to address risks that could impact the safety and reliability of services, JEA’s security program has a layered defense strategy. The JEA security program includes but is not limited to vulnerability management, system monitoring and active response to such threats. These safeguards ensure that JEA actively maintains a highly secure control system.
“JEA also has safeguards in place to protect its water system. Water treatment facilities are monitored 24 hours a day, seven days a week, and water testing is mandated and regulated by the state. On average each year, JEA collects and tests more than 45,000 water samples.”
U.S. Sen. Marco of Florida tweeted Monday that what happened in Oldsmar should be treated as a matter of national security.
While JEA continues to monitor the water quality, JEA officials said they will continue to monitor the investigation in Oldsmar to see if there is anything they can learn from that security breach.
Cybersecurity expert weighs in
As of around 4:30 p.m. Tuesday, more than 7 million computers worldwide had been attacked by hackers.
Cybersecurity expert Chris Hamer said these are not necessarily home computers the hackers are attacking.
“These can be power plants, municipal water supply public utilities, public transportation systems, hospitals law enforcement,” Hamer said. “Their intent is to either gain control of the system so they can ransom it, penetrate the accounting system to get themselves a refund or eliminate their bill, or jack up everyone else’s bill for mischief, or they’re touristing to see what they can see.”
In the case of the Oldsmar water system hack, investigators said it wasn’t immediately clear where the attack came from. Hamer said there’s a chance the hacker was able to get into the system through either a malicious email or a non-secured remote desktop program.
“They’re on the internet all the time, and they’re constantly ringing the doorbell who answers, and, in this case, most of the programs answer by identifying what the actual process is, so once that gets cataloged, these people will continue to try different passwords until they get in,” Hamer said.
So if a system has low security or no security, Hamer said, it doesn’t take much effort to infiltrate the system.