Recent publicly released details of the Oldsmar breach paint a picture of poor cyber hygiene and governance. The breach vector was reportedly TeamViewer remote access software that was no longer in active use by the utility, and for which there was a single access password shared by all users. The utility was also using an old Windows 7 operating system. In response, the Cybersecurity & Infrastructure Security Agency (CISA), FBI and EPA issued a joint press release urging utilities to upgrade from this system due to the lack of security updates. Furthermore, the Wall Street Journal reports that in contrast to electric utilities which have strong national standards that they must meet, that community water utilities in the US do not have any national standards for cybersecurity.
The Oldsmar breach paints a picture of severely deficient cyber governance practices at the water utility. Unfortunately, the problem of similar worst practice cyber hygiene practices such as using outdated software, shared passwords and failing to remove no-longer-in-use software are more likely than not to exist at many more of the 50,000+ water utilities across the United States.
This case shines a glaring spotlight on the need for national standards not only for this critical infrastructure category, but for other enterprises as well. It points to a clear need for upgraded, updated and more systemic cyber security standards instead of piecemeal sector-by-sector regulatory overhauls following a serious breach event of a company within a certain sector. SolarWinds did not reveal the need to improve cyber governance and cyber security only at software companies or only at companies with a large government client base. SolarWinds and Oldmar are just the two most recent cases that illustrate a systemic problem of poor cyber governance that must be addressed systemically. And while breaches will still happen in a new era of better overall cyber standards and governance, research clearly shows that improved, enforceable standards and mandatory disclosure will reduce the frequency and can lessen the damage caused when a breach occurs.