Previously unreported details of the breach have become known thanks to a private February report by the Northern California Regional Intelligence Centre seen by the outlet.
On 15 January, the hacker, armed with a former employee's TeamViewer username and password, which enables users to remotely control computers, reportedly logged in and deleted programmes that the water plant used to treat drinking water. After the hack was discovered the following day, the facility changed its passwords and reinstalled the programmes.
"No failures were reported as a result of this incident, and no individuals in the city reported illness from water-related failures," stated the report.
The report comes as a growing number of cyberattacks on US water infrastructure have been making headlines. Another hacker who accessed a TeamViewer account raised lye levels in the drinking water to poisonous levels in Oldsmar, Florida just weeks after the San Francisco Bay Area incident.
#Hacker Alters Chemical Levels at US City's Water Treatment Plant: https://t.co/7K7l7dyBbe#internetsecurity #onlinesecurity #cyberattack #cybercrime #cybersecurity #webdev #fintech #infosec #devops #datasecurity #softwaresecurity #netsec #vulnerabilities #cybernews #hacking pic.twitter.com/9c9plXptjE— SecAlerts (@SecAlertsCo) February 9, 2021
On that occasion, an employee was quick to notice the computer's mouse moving on its own and averted further damage. Currently, the Bay Area breach is still under FBI investigation.
It's possible to buy login details on the dark web, said Kent Backman, a researcher at the cybersecurity company Dragos, cited by the outlet.
Water supplies, according to experts cited by the outlet, are very vulnerable to hackers, and successfully poisoning them is a potentially easy way to harm large group of people. While American water infrastructure has built-in security, it's lacking centralisation, unlike the electric grid, claim cybersecurity experts. As a result, they believe a large-scale water hack is unlikely.
Water facilities are largely run by nonprofit entities, with rural areas often getting water from small plants run by a handful of employees. Nevertheless, the experts say there's no straightforward protocol to safeguard water facilities.
"If you could imagine a community centre run by two old guys who are plumbers, that's your average water plant," said Bryson Bort, a consultant on industrial cybersecurity systems.
Furthermore, experts say that smaller scale facilities might not even be aware they have been hacked. Or, if they are, they are often unwilling to inform the federal government and their customers.
In light of the recent heightened cybersecurity threats cited by the administration of US President Joe Biden, the White House intends to launch a voluntary cybersecurity collaboration between the federal government and water facilities, a spokesperson said.
Nevertheless, sources say no government initiatives can offer ultimate guarantees of safety for American water from hacker attacks.