Last Friday (5 February 2021), attackers gained access to the industrial control system (ICS) at a water treatment plant in a small town in Pinellas County, Florida. A plant operator caught the breach almost immediately, although the apparent hackers tried to increase the amount of sodium hydroxide in the water supply to dangerous levels—from about 100 parts-per-million (ppm) to 11,100 ppm.
The attackers remotely took control of the mouse and the system using a legitimate application called TeamViewer, commonly used in industrial settings for remote access. The plant operator noticed the intrusion as it was happening and reversed the changes immediately—so, fortunately, the public was never at risk.
The incident is a reminder that attackers often see critical infrastructure as easy prey. “Water systems, like other public utility systems, are part of the nation’s critical infrastructure and can be vulnerable targets when someone desires to adversely affect public safety,” Pinellas County Sheriff Bob Gualtieri said in a press conference on Monday.
If the plant operator hadn’t been able to quickly reverse the changes, other mechanisms could have alerted staff to the increase in sodium hydroxide levels. Still, even if other periodic monitoring mechanisms had flagged the increase, there’s no guarantee they could have prevented people from getting sick. Gus Serino, principal ICS security analyst at Dragos (an ISA Global Cybersecurity Alliance member company), recommended some ways to prevent and mitigate similar incidents in a blog post.
John Cusimano, vice president of industrial cybersecurity at aeSolutions (another ISAGCA member company), said an incident like this was inevitable—but also wondered how intentional it was. “This is the kind of scenario we all knew would happen eventually,” he wrote on LinkedIn. “Fortunately, the operator detected and was able to respond quickly—which indicates to me that it was either an unsophisticated attacker or it was an authorized person who remoted in and made a big mistake. Either way, this incident should be an alarm to the water sector. It needs to be thoroughly investigated by ICS cyber experts to determine the ‘smoking gun.’”
The incident can also be seen as proof that facility engineers and operators are already well-aware of cyber risks. “Every water facility (I know of) has that exact risk scenario—both abusing remote access and manipulating water treatment—on their radar. Facility engineers and operators mostly say ‘well, if someone manipulated the values, that would be noticed very soon’—which is exactly what happened in Florida,” ICS cybersecurity expert Sarah Fluchs wrote on LinkedIn. “I’m not saying you can’t/shouldn’t defend against attacks like these—just saying the incident is probably not going to shock water utilities as much as the security bubble expects. Water utilities are not clueless regarding cybersecurity, and yes, they likely know about the pitfalls of TeamViewer.”
“Unsophisticated attacks, like what appears to have taken place in Oldsmar [Florida], are easily prevented by following industry standards and best practices such as ISA/IEC 62443 or NIST 800-82,” Cusimano said via email, when asked for additional comments. “We always recommend starting with a vulnerability and risk assessment to understand the vulnerabilities that present the highest operational risk to the organization, and then follow that by preparing a mitigation plan that is prioritized by risk.”
The FBI and the Secret Service were called in to assist with the investigation of the incident, according to an article from Reuters.
A recent study from Claroty (another ISAGCA member company) found that critical infrastructure sectors were most affected by ICS security vulnerabilities reported during the second half of 2020. Among those sectors, water and wastewater saw an increase in disclosed ICS cybersecurity vulnerabilities of 54 percent from the second half of 2019 and 63 percent from the second half of 2018.
Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive weekly emails with links to the latest thought leadership, tips, research, and other insights from automation cybersecurity leaders.