It’s the nightmare scenario for most cybersecurity analysts, and one that they’ve increasingly warned about in recent years. A hacker decides to target a critical piece of infrastructure, like a power plant or any of the 55 National Critical Functions identified by the Cybersecurity and Infrastructure Security Agency (CISA). That attack succeeds, and thousands if not millions of lives are put at risk.
And last week, the nightmare nearly became a reality…again. Someone, or some group, penetrated computer systems at a small municipal water treatment facility in Oldsmar, Florida, near Tampa Bay. The attack managed briefly to increase the level of sodium hydroxide in the water from 100 parts per million to 11,100 parts per million, Pinellas County Sheriff Bob Gualtieri was quoted as saying in a report by CNN.
Sodium hydroxide, or lye, is used to remove metals and control acidity levels in drinking water. It’s also an ingredient in liquid drain cleaners. If ingested, sodium hydroxide produces serious health effects, including severe burns and permanent damage to any tissue it touches, vomiting, and perforation of the gastrointestinal tract. Had the poisoned water reached any of Oldsmar’s 15,000 residents, the consequences could have been dire.
How It Happened
The attack occurred last week when someone accessed an employee computer remotely via TeamViewer software. A plant operator noticed remote activity on his computer for a brief period around 8 a.m. on February 5. This was not considered unusual. Plant supervisors often used remote access software to monitor operations at the plant and verify that systems were functioning normally.
But the computer was accessed again later that day. This time, an operator watched as someone accessed the water treatment software and increased the sodium hydroxide to a dangerously high level before leaving the system. The operator immediately restored the settings to an appropriate level. Sheriff Gualtieri later told a briefing that at no point was the public ever in danger.
The Oldsmar facility had redundancies and safeguards that would have prevented unsafe water from reaching residents, according to Oldsmar Mayor Eric Seidel. No arrests have yet been made, and Sheriff Gualtieri has said there is no information about whether the attack was made from within or outside the United States. But the FBI and Secret Service have joined local authorities to assist with the investigation, and remote access software has been disabled.
Authorities have described how the attacker was able to manipulate chemical levels in the water. But they have not yet revealed how the attacker first gained access to the remote access software. Further, they have not explained how the attacker initially gained access to the Oldsmar facility’s IT network, or why industrial control systems at the plant were connected to the internet instead of being segregated to prevent unauthorized access.
Minimizing the exposure of industrial control systems is one of several recommendations issued by Water ISAC, an industry watchdog group and CISA partner, for reducing exploitable weaknesses and attacks on water utilities. Critical infrastructure has experienced increased digitalization to improve the quality and efficiency of operations in recent years. But with greater connectivity and remote access controls comes the potential for exposure to outside attacks.
Water systems and other public utilities have become regular targets of attack. Small municipal systems like the one in Oldsmar are particularly vulnerable, but larger facilities are also at risk. In April last year, Iran’s Revolutionary Guard Corps unsuccessfully attacked Israel’s water supply and tried to modify chlorine levels. Two additional attacks on agricultural water pumps followed in June.
A Sign of Things to Come
A recent post by Krebs on Security noted that any acknowledgement of an attack on a water treatment facility is rare. It further lists several observations from experts on cybersecurity and industrial control systems that provide a sobering portrait of just how vulnerable these facilities actually are to future attacks like the one in Oldsmar.
The U.S. has about 54,000 drinking water systems, and nearly all of them rely on remote access to monitor operations, the Krebs post says. Many of these facilities lack adequate staffing, funding, and 24-hour IT operations supervision. More critically, many have not shielded their industrial control systems from access through internet-connected computer networks.
Our critical infrastructure will only increase its reliance on automated and remotely accessible systems. As a consequence, malicious actors will continue to find ways of exposing and capitalizing on vulnerabilities in these connected systems. Improving data security and protecting network access points has been part of SecureData’s commitment to total data security solutions across numerous industries for more than a decade.
Our SecureDrive® and SecureUSB® FIPS-validated hardware-encrypted storage devices keep your backups and portable storage offline and totally secure from unauthorized access. Remote drive management makes sure that IT administrators can control when, where, and by whom your data is accessed. And our cutting-edge port-blocking technology allows you to white-list or black-list any USB device, a common pathway for malware to take root in computer networks.