On Friday, February 5, 2021, a hacker initiated an attack on an Oldsmar, Florida water treatment facility which briefly adjusted the levels of sodium hydroxide from 100 parts per million to 11,100 parts per million. This attack occurred about 15 miles from the location of, and two days before the Super Bowl. If successful, the attack would have increased the amount of sodium hydroxide to an incredibly dangerous level in the water supply. Fortunately, a vigilant employee saw the intrusion attempt as it was occurring, and stopped it.
As the article noted, “Experts say municipal water and other systems have the potential to be easy targets for hackers because local governments’ computer infrastructure tends to be underfunded.” This is not the first attempt to gain control over industrial control systems (ICS) at a water treatment facility. In April 2020, Israel’s National Cyber Directorate announced, “Reports have been received by the National Cyber Directorate about attempted attacks on command and control systems of wastewater treatment plants, pumping stations, and sewage.”
While the method of intrusion in the Florida attack was the abuse of remote access credentials that were shared between employees, there are many other approaches that hackers can and will take to infiltrate critical infrastructure facilities. With the increased interconnected-ness provided by the Internet, there are no longer many facilities that can rely on isolation or an air-gap for security. While state actors might be more focused on infiltrating the electric power grid, they may find it easier to attack seemingly less critical and less protected municipal facilities.
From what we know about this cyber incident, it could have been prevented with more securely configured remote engineering access. This facility was allowing remote access into their ICS systems with a software package called TeamViewer, which was not securely configured (and may not have even been authorized software). In addition to the insecure remote access problem, there is another operational issue that comes to mind. Why did the HMI application allow such a value for sodium hydroxide?
As our Principal Risk and Solutions Consultant, Jeremy Morgan, put it, “That’s just poor design, unless the attacker also modified the settings files or something even deeper. Engineering teams should never build an HMI that allows this, and even if you need it for emergencies or maintenance, there should be manual lockouts on the valve requiring human intervention. This is control system 101 territory.”
All infrastructure facilities need to be more aware of cybersecurity issues. There are two main facets of awareness. The first facet is employee training (and re-training) on best practices for cybersecurity. In the case of the Florida treatment facility, the incident might have been prevented by better password security practices and rules on sharing accounts among employees. The second facet is having the appropriate cybersecurity products to apply and audit security best practices, quickly identify intrusions, and provide contextual alerts to experts who can mitigate an attack.
As OT cybersecurity attacks increase, companies need to be more proactive about implementing stronger cybersecurity controls and selecting the right tools to help them do this. While many security products have an IT focus, critical infrastructure teams need a tool that is purpose-built for ICS environments, since these systems have a unique set of vendor products (hardware and software) and associated requirements, such as NERC CIP, that must be met to adequately provide protection against cybersecurity threats.
If you are a current Industrial Defender customer, you can create a software inventory report and filter to see what remote access software is in your OT systems and which devices are using it. Make sure to look at interfaces on key computers in the system for unauthorized outside connections to identify alternate remote access paths. Accounts frequently used for remote access should also change passwords often, even with 2FA enabled. To learn more about how you can use Industrial Defender to secure OT remote access, check out this infographic.