Commentary by Michael Mimoso, Editorial Director at Claroty
On Friday February 5, a remote cyber-attack was conducted against a water treatment facility in Florida. This attack could have had potentially catastrophic health effects on the local population, reinforcing the need for the water sector and critical infrastructure operators more broadly to be vigilant about the security of their networks.
The facility, located in Oldsmar, was accessed twice on Friday, according to city officials and law enforcement. The second intrusion at 1:30 p.m., five-and-a-half hours after the first, saw the attacker change levels of sodium hydroxide in residential and commercial drinking water from 100 parts-per-million to 11,100 parts-per-million. Sodium hydroxide, or lye, is added to water to control acidity and remove certain metals from the water; lye is the primary agent in drain cleaner and is a caustic substance that is dangerous if consumed.
An operator who saw the first intrusion at 8 a.m. dismissed it as perhaps a supervisor accessing a system for monitoring, officials said. The same operator said they witnessed during the second intrusion the attacker controlling the systems for up to five minutes, accessing several applications, including the chemical process they were able to alter.
Upon exiting the system, the operator was able to bring the levels back down to normal; redundancies in the system would have prevented the tainted water from reaching residents and businesses regardless, officials said.
The compromised system was password protected, officials said, indicating that a weak credential was compromised or a stolen password was used to access the facility.
Critical infrastructure risks in 2021 have been elevated on a number of fronts, largely because of the COVID-19 pandemic. Most companies, utilities in particular, have been forced to increase the number of remote connections to critical systems for maintenance and updates, simultaneously increasing demands for remote access and an organisation’s exposure.
Grant Geyer, Chief Product Officer and head of Claroty’s threat research team said “Water and wastewater is one of the most at-risk critical infrastructure sectors today. Industrial control system (ICS) vulnerability disclosures impacting the sector have increased significantly year-over-year. As noted in our Biannual ICS Risk & Vulnerability Report released a few days ago, the Claroty Research Team found that ICS vulnerabilities disclosed during the second half (2H) of 2020 increased by 54% from 2H 2019 and 63% from 2H 2018 in water and wastewater.
Due to the long depreciation period of equipment in critical infrastructure environments, technology obsolescence and the security accompanying security vulnerabilities is a common occurrence. Additionally, many water utilities are small entities and are under-resourced, making the challenge of developing a robust security program that much more challenging.
The solution is not as simple as eliminating remote access to such high-stakes environments. The nature of our increasingly digitised world, especially with the shift to remote work caused by the pandemic, makes remote access a requirement – even in critical infrastructure. This isn’t a “should we or shouldn’t we” discussion – it’s coming at us. The key is how remote access can be implemented securely, so that we can stop these attacks – which will inevitably continue to happen – before the damage is done.”
Just last year, Israel’s Water Authority was targeted in a large-scale attack. Hackers attempted to access the command and control systems of wastewater treatment plants, pumping stations, and sewage infrastructure. A statement from the Water Authority and National Cyber Directorate reported the incident appeared to be coordinated, but no damage had occurred. Password resets were mandated and control software updated; some systems were disconnected from the internet if they could not be updated.
All water utilities and critical infrastructure operators alike should undertake a risk assessment, which includes a thorough understanding of external and internal threats, potential attack vectors, and a thoughtful approach to education, secure architecture, controls, processes, and monitoring.
Automated technology that monitors process values and provides visibility into abnormal value readings are essential to alert operators to potential intrusions, and threats to the availability and safety of services.
Remote access solutions specifically designed for operational technology networks are also essential to heading off the risks posed by attacks such as the one in Florida. Not only would such a technology allow for remote troubleshooting from anywhere, but also allow only authorised users to create and permit remote sessions, as well as shut down a remote session if there were alerts or policy violations.