A Water District in Florida was Hacked - Here's What Went Wrong and How Similar Incidents Can Be Prevented

Cybersecurity experts agree the Oldsmar attack was easily preventable and this raises a "Red Flag" for critical infrastructure across the United States

Ready to make sure your organization is properly protected against similar cyber attacks or other disasters?

What exactly happened to the Water Treatment Plant in Oldsmar, Florida?

Details are still be clarified, but here’s what we know: 

On February 5, 2021, the Oldsmar water treatment plant faced an initial intrusion by an unknown cyber attacker at 8:00 am. A second intrusion occurred at 1:30 pm, during which a plant operator noticed a drastic change in the chemical mix being used to treat the water. The attacker was inside the system for less than five minutes, and the plant operator reversed the chemical change immediately. The Pinellas County Sheriff insisted “the public was never in danger.” 

The cyber attack was targeting the chemical balance of the water, presumably to poison the city’s approximately 15,000 residents. The Oldsmar plant operator who reversed the changes caused during the attack said levels of sodium hydroxide (commonly referred to as Lye) were raised from 100 parts per million to 11,100 parts per million, a dose that could cause complications such as irritation, burning, vomiting, and even death. 

Oldsmar Water Treatment Plant

So how did the breach occur?

The unknown attacker was most likely able to breach the system via a remote access software known as TeamViewer. According to CSO, the software has a history of being insecure, but this was likely the most affordable option for an underfunded public utility that needed to develop a work-from-home solution amidst the Covid-19 pandemic. 

Local authorities claim the attacker was unable to cause any significant adverse affects on the water being treated, since the attack lasted less than five minutes. 

Still, a breach into any critical infrastructure district is already too much. According to an article from  the Tampa Bay Times, this hacker got farther than any other attempt to physically impact critical infrastructure in the US. 

What are 3 key ways to easily defend against this type of attack?

First, lets qualify easily.”  Hindsight is always 20/20.  If you had the knowledge on where to put your foot down,” and what to prohibit on your network, it would have been much easier to apply that knowledge and defend against such attacks.  Could preventing this attack have been easy? Sure, the steps are simple in themselves.  Much like a camper preventing a forest fire or a boater avoiding disaster when going out into the ocean.  It takes planning, diligence, and a commitment to operate safely.  However, easily preventable issues often cause forests to burn down and boats to capsize.  As you read on, it becomes evident that a security policy likely did not govern decisions that were made, and a hacker walked through an open door. 

There is an ongoing investigation to determine who the attacker was. The Pinellas County Sheriff’s Department, the FBI, and the Secret Service are all looking into the attack. There is no evidence to conclude whether the attacker was in or outside the US, and it is unclear why Oldsmar, Florida would have been targeted specifically. 

Despite a lack of clarification from the agencies investigating the attack, CSO says it is unlikely the attacker was backed by a nation-state or other group and much more likely that this was an “amateur operation that’s likely a crime of opportunity.” 

Former CIO of LADWP Matt Lampe contributed, suggesting a more advanced attacker would have taken out some of the plant’s other security measures, like the pH sensors. 

This only makes the incident that much more alarming. If an amateur attacker was able to breach critical infrastructure this easily, that raises a national security concern. At a local, state, and federal level, there needs to be more concern about cybersecurity for critical infrastructure. 

"Easy" Defense Step #1: Choose your remote access solution wisely.

If TeamViewer wasn’t installed, the attack probably wouldn’t have happened. ANY remote control tool accessible from the Internet has a risk of being compromised. But this is *especially* the case with remote control software that creates a continuous outbound tunnel from Desktop to the Cloud 24x7 (whether encrypted or not), bypassing VPNs and network security, waiting for a request to control the machine it is tied to. Any compromise of security credentials, or a compromise of the software vendor itself leaves you open to unauthorized access from anywhere, anytime. Bots are built to look for holes and if you leave one open, someone will find it. We recommend all remote access first be authenticated into an isolated VPN, and that the remote control solution be vetted properly.

What does the Oldsmar attack mean for cybersecurity?

The attack in Oldsmar was possible because of the remote access software TeamViewer, which was being used during the pandemic to allow engineers to troubleshoot problems from other locations. The problem with critical infrastructure districts using this kind of software is the lack of security surrounding it. 

CSO explains that the attacker accessed an Industrial Controls System (ICS) remotely, likely using stolen or lost credentials. 

Pinellas County Sheriff Bob Gualtieri emphasized during a press conference that public utilities systems are part of the nation’s critical infrastructure and as such present targets for these kinds of attacks.  

A good point, which raises the question: why was this important SCADA system not properly secured? This is a concern for critical infrastructure everywhere. 

Cybersecurity experts are saying this evident lack of multi-factor authentication and remote access software essentially made the attack “the equivalent of walking through and unlocked front door.” 

Local officials stand by the additional safeguards — like the pH sensors — that would have noticed the change even if the plant operator on duty hadn’t but five minutes inside a SCADA system is too long. 

"Water systems like other public utilities systems are part of the nation’s critical infrastructure and can be vulnerable targets when someone desires to adversely affect public safety."

"Easy" Defense Step #2: Require Multi-Factor Authentication.

The Dark Web contains millions of records containing compromised email addresses, usernames, associated URLs, and passwords. In addition, credentials can be stolen, guessed, or brute-forced. Implementing MFA is a relatively easy way to improve security and insulate your organization from lost, stolen, or weak credentials.

"The practice of allowing continuous remote access to SCADA systems can be exploited regardless of the method used. Remote access should be granted to contractors on a temporary basis only for tools such as TeamViewer. Even employee access secured with MFA should not be allowed to persist beyond a reasonable amount of time."
Richard Pressler, AllConnected CTO
Richard Pressler
CTO and Architect, AllConnected

One of the largest issues at hand here is the lack of focus on cybersecurity when it comes to setting up critical infrastructure. 

President Joe Biden announced a plan to provide deliver clean drinking water on a massive scale, but every part of the infrastructure and plan is laid out EXCEPT for the cybersecurity measures. This is a common problem that needs to be addressed. 

An article from USA Today features commentary from Tarah Wheeler, a Harvard Cybersecurity Fellow. “The systems administrators in charge of major civilian infrastructure like a water treatment facility should be securing that plant like they’re securing the water in their own kitchens,” Wheeler said via email. “Sometimes when people set up local networks, they don’t understand the danger of an improperly configured and secured series of internet-connected devices.”

"Easy" Defense Step #3: Invest in outside expertise.

A cyber-security assessment can help expose critical risks and gaps to executive management. We often hear ‘there’s no budget’. Yet a breach increases the cost many times and forces the budget conversation that should have happened earlier. It reminds us of the quote ‘If you think it’s expensive to hire a professional to do the job, wait until you hire an amateur’. Identifying the gaps in your infrastructure, and prioritizing those gaps based on risk helps you to make good and important decisions in regard to the infrastructure you are responsible for. New risks are always emerging, and a recurring methodical review is essential.

How are cyber attacks like the one at the Oldsmar water treatment plant prevented?

This particular attack was incredibly easy. The system probably never should have been using the remote access software in question, but TeamViewer has yet to confirm the breach was caused because of their product. 

According to a statement released by TeamViewer, the company is aware of the reports linking them to the attack but has no indication at this point that their software or platform has been compromised. 

Now, according to CSO, the next steps should be identifying any other assets the organization has exposed to the internet and removing them from public networks or implementing other security measures.

So, what should Oldsmar’s SCADA system have had in place for the water treatment plant’s cybersecurity? AllConnected has put together a five-step approach below. 

"To posture themselves more securely for the future, water utilities, which are mostly small and lacking in cybersecurity expertise, should pull in outside experts for overall security assessments that help spot internet exposures and other cybersecurity vulnerabilities."

Five-Step Guide to Defend Critical Infrastructure Against Cyber Attacks

AllConnected Specializes in Preparing, Connecting, and Protecting Critical Infrastructure

Schedule a FREE 30-minute consultation with one of our experts to determine whether you need to boost your cybersecurity to reduce your risk and maintain compliance. Ask about cybersecurity assessments or how to develop a NIST 800-171 based cybersecurity framework.

Get In Touch