Oldsmar water treatment plant breach reveals multiple severely deficient cyber governance practices and the need for cyber standards at the national level

Summary

Recent publicly released details of the Oldsmar breach paint a picture of poor cyber hygiene and governance. The breach vector was reportedly TeamViewer remote access software that was no longer in active use by the utility, and for which there was a single access password shared by all users. The utility was also using an old Windows 7 operating system. In response, the Cybersecurity & Infrastructure Security Agency (CISA), FBI and EPA issued a joint press release urging utilities to upgrade from this system due to the lack of security updates. Furthermore, the Wall Street Journal reports that in contrast to electric utilities which have strong national standards that they must meet, that community water utilities in the US do not have any national standards for cybersecurity.

Report

Analysis

The Oldsmar breach paints a picture of severely deficient cyber governance practices at the water utility. Unfortunately, the problem of similar worst practice cyber hygiene practices such as using outdated software, shared passwords and failing to remove no-longer-in-use software are more likely than not to exist at many more of the 50,000+ water utilities across the United States.

This case shines a glaring spotlight on the need for national standards not only for this critical infrastructure category, but for other enterprises as well. It points to a clear need for upgraded, updated and more systemic cyber security standards instead of piecemeal sector-by-sector regulatory overhauls following a serious breach event of a company within a certain sector. SolarWinds did not reveal the need to improve cyber governance and cyber security only at software companies or only at companies with a large government client base. SolarWinds and Oldmar are just the two most recent cases that illustrate a systemic problem of poor cyber governance that must be addressed systemically. And while breaches will still happen in a new era of better overall cyber standards and governance, research clearly shows that improved, enforceable standards and mandatory disclosure will reduce the frequency and can lessen the damage caused when a breach occurs.

We use cookies to make our website more user-friendly and effective

The Cyberhedge Indices Cookie Policy

What are the Cyberhedge Cyber Governance Indices?

These first ever benchmarks prove good cyber governance matters to shareholder value. They measure stock market performance of companies with good and with bad cyber governance scores. Scores are based on Cyberhedge’s proprietary cyber governance rating methodology. Market performance is tracked by an independent firm. The results show that companies with good cyber governance outperform their peers in US, UK, and EU markets.

Information that we collect

Here you can see and customize the information that we collect about you. To learn more, please read our privacy policy

Continue on website