A Water District in Florida was Hacked - Here's What Went Wrong and How Similar Incidents Can Be Prevented
Cybersecurity experts agree the Oldsmar attack was easily preventable and this raises a "Red Flag" for critical infrastructure across the United States
Ready to make sure your organization is properly protected against similar cyber attacks or other disasters?
What exactly happened to the Water Treatment Plant in Oldsmar, Florida?
Details are still be clarified, but here’s what we know:
On February 5, 2021, the Oldsmar water treatment plant faced an initial intrusion by an unknown cyber attacker at 8:00 am. A second intrusion occurred at 1:30 pm, during which a plant operator noticed a drastic change in the chemical mix being used to treat the water. The attacker was inside the system for less than five minutes, and the plant operator reversed the chemical change immediately. The Pinellas County Sheriff insisted “the public was never in danger.”
The cyber attack was targeting the chemical balance of the water, presumably to poison the city’s approximately 15,000 residents. The Oldsmar plant operator who reversed the changes caused during the attack said levels of sodium hydroxide (commonly referred to as Lye) were raised from 100 parts per million to 11,100 parts per million, a dose that could cause complications such as irritation, burning, vomiting, and even death.
So how did the breach occur?
The unknown attacker was most likely able to breach the system via a remote access software known as TeamViewer. According to CSO, the software has a history of being insecure, but this was likely the most affordable option for an underfunded public utility that needed to develop a work-from-home solution amidst the Covid-19 pandemic.
Local authorities claim the attacker was unable to cause any significant adverse affects on the water being treated, since the attack lasted less than five minutes.
Still, a breach into any critical infrastructure district is already too much. According to an article from the Tampa Bay Times, this hacker got farther than any other attempt to physically impact critical infrastructure in the US.
What are 3 key ways to easily defend against this type of attack?
First, let’s qualify “easily.” Hindsight is always 20/20. If you had the knowledge on where to “put your foot down,” and what to prohibit on your network, it would have been much “easier” to apply that knowledge and defend against such attacks. Could preventing this attack have been easy? Sure, the steps are simple in themselves. Much like a camper preventing a forest fire or a boater avoiding disaster when going out into the ocean. It takes planning, diligence, and a commitment to operate safely. However, “easily preventable” issues often cause forests to burn down and boats to capsize. As you read on, it becomes evident that a security policy likely did not govern decisions that were made, and a hacker walked through an open door.
There is an ongoing investigation to determine who the attacker was. The Pinellas County Sheriff’s Department, the FBI, and the Secret Service are all looking into the attack. There is no evidence to conclude whether the attacker was in or outside the US, and it is unclear why Oldsmar, Florida would have been targeted specifically.
Despite a lack of clarification from the agencies investigating the attack, CSO says it is unlikely the attacker was backed by a nation-state or other group and much more likely that this was an “amateur operation that’s likely a crime of opportunity.”
Former CIO of LADWP Matt Lampe contributed, suggesting a more advanced attacker would have taken out some of the plant’s other security measures, like the pH sensors.
This only makes the incident that much more alarming. If an amateur attacker was able to breach critical infrastructure this easily, that raises a national security concern. At a local, state, and federal level, there needs to be more concern about cybersecurity for critical infrastructure.
What does the Oldsmar attack mean for cybersecurity?
The attack in Oldsmar was possible because of the remote access software TeamViewer, which was being used during the pandemic to allow engineers to troubleshoot problems from other locations. The problem with critical infrastructure districts using this kind of software is the lack of security surrounding it.
CSO explains that the attacker accessed an Industrial Controls System (ICS) remotely, likely using stolen or lost credentials.
Pinellas County Sheriff Bob Gualtieri emphasized during a press conference that public utilities systems are part of the nation’s critical infrastructure and as such present targets for these kinds of attacks.
A good point, which raises the question: why was this important SCADA system not properly secured? This is a concern for critical infrastructure everywhere.
Cybersecurity experts are saying this evident lack of multi-factor authentication and remote access software essentially made the attack “the equivalent of walking through and unlocked front door.”
Local officials stand by the additional safeguards — like the pH sensors — that would have noticed the change even if the plant operator on duty hadn’t but five minutes inside a SCADA system is too long.
One of the largest issues at hand here is the lack of focus on cybersecurity when it comes to setting up critical infrastructure.
President Joe Biden announced a plan to provide deliver clean drinking water on a massive scale, but every part of the infrastructure and plan is laid out EXCEPT for the cybersecurity measures. This is a common problem that needs to be addressed.
An article from USA Today features commentary from Tarah Wheeler, a Harvard Cybersecurity Fellow. “The systems administrators in charge of major civilian infrastructure like a water treatment facility should be securing that plant like they’re securing the water in their own kitchens,” Wheeler said via email. “Sometimes when people set up local networks, they don’t understand the danger of an improperly configured and secured series of internet-connected devices.”
How are cyber attacks like the one at the Oldsmar water treatment plant prevented?
This particular attack was incredibly easy. The system probably never should have been using the remote access software in question, but TeamViewer has yet to confirm the breach was caused because of their product.
According to a statement released by TeamViewer, the company is aware of the reports linking them to the attack but has no indication at this point that their software or platform has been compromised.
Now, according to CSO, the next steps should be identifying any other assets the organization has exposed to the internet and removing them from public networks or implementing other security measures.
So, what should Oldsmar’s SCADA system have had in place for the water treatment plant’s cybersecurity? AllConnected has put together a five-step approach below.