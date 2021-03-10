HARRISBURG, DAUPHIN COUNTY (WBRE/WYOU-TV) — The Pennsylvania Public Utilities Commission (PUC) has issued a cybersecurity advisory to the commonwealth’s water companies following an attack on a treatment plant in Florida.

According to the PUC, a plant in Oldsmar, Florida experienced a cyberattack that was intended to gain control over systems that monitor and regulate levels of sodium hydroxide in the water supply. Sodium hydroxide is used to adjust pH and can be harmful at high levels.

Experts say attackers were able to access the systems through a program called TeamViewer that was being used for remote system status checks. The attackers used the software to increase sodium hydroxide in the water to harmful levels. However, because plant personnel were present during the attack, they were able to change the levels back to normal before any harm was done.

The attack, however, did prompt the PUC to issue advisories to water companies in Pennsylvania on how to prevent similar attacks.

“A PUC-regulated utility is required to have a cybersecurity plan for their operations, and we have regular conversations with our utility community about cybersecurity and developing cyberthreats,” said PUC Chair Gladys Brown Dutrieuille.

The PUC says that the Florida plant that was attacked ran their system on the Windows 7 operating system, which is no longer supported by Microsoft. All computers in the plant also shared the same password for remote access and appeared to be connected to the internet without a firewall for protection, leaving them vulnerable to security threats.

For Pennsylvania’s water companies, the PUC recommends that all computers running Windows be upgraded to Windows 10 and that multi-factor authentication as well as strong passwords are implemented. The PUC also says that anti-virus and other programs should be up to date and those systems which cannot be updated should be isolated from internet access. Users should also be trained to identify and report phishing and other social engineering attempts while users with usual activity should be suspended.

Read the full recommendation below.