WILDWOOD – For most, turning a faucet and filling a glass with water isn’t something to worry about, but after a hacker gained remote access and attempted to poison the water source in Pinellas County, Florida, in February, it raised questions about what is being done locally to prevent something similar.
After more than six weeks of persistent, but unsuccessful, attempts to contact the Wildwood Water Utility, a related resolution appeared for approval by the city’s governing body March 24.
The resolution approved a contract not to exceed $24,000 with Advanced GeoServices, a Cherry Hill company, to develop a Risk and Resiliency Assessment (RRA) and update the existing Emergency Response Plan (ERP). The resolution stated that’s required by the U.S. Environmental Protection Agency (EPA).
Michael McIntyre, the director of the water utility, which services Five Mile Island – Wildwood, Wildwood Crest, West Wildwood, North Wildwood, and Diamond Beach – as well as Shawcrest and part of Rio Grande, declined an interview request from the Herald for more information on the new professional services agreement, citing the Patriot Act.
A proposal for the work submitted to McIntyre by Advanced GeoServices, and obtained by the Herald, outlines planned work.
The proposal, dated Aug. 28, 2020, and revised Sept. 14, 2020, states the RRA is required to address “the risk to the system from malevolent acts and natural hazards,” and will review “electric, computer and other automated systems, including the security of such systems,” characterize threats and perform a three-prong analysis – consequence, vulnerability and threat.
ERPs apply to all water systems serving over 3,300 people, the document states. As part of the update, Advanced GeoServices states it will “provide incident-specific response sheets designed for each specific potential incident that can be pulled out and used to assist.”
The Florida incident occurred when a remote access software, TeamViewer, was taken over by a hacker, who adjusted the chemicals in the water to deadly levels.
The hacker began to raise the water’s sodium hydroxide content, but a worker at the facility saw the hacker remotely moving the mouse on one of the computers and was able to correct the problem before significant harm could be done. Luckily, they were paying attention, because it appears there was little in the form of oversights or safeguards to prevent it.
TeamViewer wasn’t being used for remote access anymore at that facility, Pinellas County Sheriff Bob Gualtieri told CNN, but apparently was never removed from the system when it was replaced with a Google remote access program.
In addition, the plant used Windows 7, an operating system released in 2009, on its computers. All the computers used the same password for remote access, it was revealed.
Part of what was rare about the incident is that the public found out about it at all. Oftentimes, for security reasons, foiled plots or potential breaches are not publicly disclosed.
The public’s right to know conflicts with the government’s fear that releasing the information would inspire or inform other malevolent actors, which is part of the reason it’s hard to discover how much is being done to shore up Wildwood’s water system and how vulnerable it may have been.
In its 2020 annual report, recapping 2019, Wildwood Water Utility dedicates a paragraph to disclosing it “did not monitor or did not complete all monitoring or testing for iron and manganese, and therefore cannot be sure about the quality of your drinking water during that time.”
Calls to the water utility were referred to an email account, which did not return multiple emails requesting an interview.
The report states the oversight was corrected and the utility “will make every effort to ensure that all future required testing is performed.”
Phase one of the RRA is due by June 30, according to a separate proposal to perform the work by Remington and Vernick Engineers, which was not accepted by commissioners. Phase two and the updated ERP are due six months after phase one is submitted, Advanced GeoService’s proposal states.
To contact Shay Roddy, email sroddy@cmcherald.com.
ED. NOTE: Following online publication of this article, Michael McIntyre contacted the Herald asserting inaccuracies in the published article. Specifically, McIntyre stated that a voicemail message was left on the reporter’s phone, explaining that Wildwood Water Utility’s chemical feed pumps are “controlled manually” and are “not connected to the internet.” That voicemail message was not received by the reporter. McIntyre also asserted that 2019 violations cited in the utility’s 2020 report were due to “lab error and lab negligence.”
