Attack on a Water Treatment Plant Puts a Spotlight on Cybersecurity Vulnerabilities
Written by: Jordan Bowers and Bill Medcalf
It is hard to believe in this day and age, there are people who still do not understand the risk of Cybersecurity threats in industrial environments. This is especially unnerving when these individuals are overseeing public utilities which provide vital services to the communities they serve.
In the most recent attack on a water treatment facility in Florida, many lives could have been in serious danger had the change in lye gone undetected. The event started earlier in the morning when the Oldsmar water treatment plant operator noticed the mouse on his computer moving and clicking. He thought it was a supervisor or his boss using TeamViewer to check on the facility’s systems. He claimed both actions would not be out of the norm.
Later that day, he noticed the mouse moving again. This time, what the worker saw made it very clear this was not his boss or someone with remote access; this was definitely not something innocent. The hacker went into the plant’s controls and changed the levels of the water’s lye from 100 ppm to 11,100 ppm. Luckily, the worker witnessed the attack in motion and immediately changed the levels back to 100 ppm. Had the hacker’s their intentions come to fruition, the corrosive lye in the water could have caused severe damage and burns to any exposed tissue as well as hair loss, eye damage, and irritation.
There are individuals working on this investigation, from multiple government agencies. Senate Intelligence Chairman Mark Warner recently sent a letter to the FBI and EPA stating his desire to be informed of any progress; he also wants to make sure that the federal government is “sharing timely threat information related to this incident with water and wastewater facilities, and other critical infrastructure providers across the United States.” He continued to reiterate his concerns by including, "This incident has implications beyond the 15,000-person town of Oldsmar. While the Oldsmar water treatment facility incident was detected with sufficient time to mitigate serious risks to the citizens of Oldsmar and appears to have been identified as the result of a diligent employee monitoring this facility’s operations, future compromises of this nature may not be detected in time."
Officials know the hacker used a remote access server which had been dormant for months. To gain remote access, the hacker needed to obtain the password. Could the hacker have known the password because they were a former employee with access and the company had not changed it since their departure from the company? Possibly. Was this an attack to sabotage the Super Bowl which was being held a few short miles away? Considering it would have taken at least 48-72 hours for the water to reach the public, this could definitely be a plausible theory.
The FBI released a threat alert shortly after the attack saying “corrupt insiders and external cyber actors [were] using desktop sharing software to victimize targets in a range of organizations, including those in the critical infrastructure sectors." This information was released to express the concern over hackers exploiting software, such as TeamViewer, to gain access and control companies’ systems.
Regardless of the malicious reasoning for this breach, it is not the first attack to take place and will not be the last. As the investigation continues, it is likely to be determined the plant did not follow best practices, in turn putting the local community in harm’s way. To be proactive, the EPA has provided a brief and extremely helpful document which outlines the risk of cyber threats to water and wastewater systems as well as outlining steps to develop a Cybersecurity program. https://www.epa.gov/sites/production/files/2018-06/documents/Cybersecurity_guide_for_states_final_0.pdf
Protecting Industrial Controls Systems from outside threats involves challenges which GPA is uniquely qualified to handle. Modern control system infrastructure is more complex than proprietary solutions of the past and requires a new resource model to effectively manage the integration and life cycle of modernized OT infrastructure. Securing and managing OT infrastructure is not the primary role of the process control engineer, and IT is not typically trained with the skill set specific to managing and protecting OT assets, processes, and networks. In many cases, critical ICS infrastructure is left unmanaged and open to Cybersecurity risks which can result in dire consequences.
The first step in mitigating risk is to assess current security posture. GPA takes a holistic view of current Cybersecurity objectives, ICS program maturity and the current state of a facility’s automation environment. GPA works to develop a comprehensive strategy to mitigate risk and partner with facilities to implement appropriate, cost-effective security controls.
Once a system is secure, GPA’s team can ensure there is a plan in place for monitoring systems and keeping them up to date.
To learn more about how GPA can help your facility, visit www.global-business.net.