Building a Resilient World:

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

What Does the Florida Water Supply Incident Mean for ICS Cybersecurity?

Last Friday (5 February 2021), attackers gained access to the industrial control system (ICS) at a water treatment plant in a small town in Pinellas County, Florida. A plant operator caught the breach almost immediately, although the apparent hackers tried to increase the amount of sodium hydroxide in the water supply to dangerous levelsfrom about 100 parts-per-million (ppm) to 11,100 ppm.

The attackers remotely took control of the mouse and the system using a legitimate application called TeamViewer, commonly used in industrial settings for remote access. The plant operator noticed the intrusion as it was happening and reversed the changes immediatelyso, fortunately, the public was never at risk.

The incident is a reminder that attackers often see critical infrastructure as easy prey. “Water systems, like other public utility systems, are part of the nation’s critical infrastructure and can be vulnerable targets when someone desires to adversely affect public safety,” Pinellas County Sheriff Bob Gualtieri said in a press conference on Monday. 

If the plant operator hadn’t been able to quickly reverse the changes, other mechanisms could have alerted staff to the increase in sodium hydroxide levels. Still, even if other periodic monitoring mechanisms had flagged the increase, there’s no guarantee they could have prevented people from getting sick. Gus Serino, principal ICS security analyst at Dragos (an ISA Global Cybersecurity Alliance member company), recommended some ways to prevent and mitigate similar incidents in a blog post.

John Cusimano, vice president of industrial cybersecurity at aeSolutions (another ISAGCA member company), said an incident like this was inevitable—but also wondered how intentional it was. “This is the kind of scenario we all knew would happen eventually,” he wrote on LinkedIn. “Fortunately, the operator detected and was able to respond quickly—which indicates to me that it was either an unsophisticated attacker or it was an authorized person who remoted in and made a big mistake. Either way, this incident should be an alarm to the water sector. It needs to be thoroughly investigated by ICS cyber experts to determine the ‘smoking gun.’”

The incident can also be seen as proof that facility engineers and operators are already well-aware of cyber risks. “Every water facility (I know of) has that exact risk scenario—both abusing remote access and manipulating water treatment—on their radar. Facility engineers and operators mostly say ‘well, if someone manipulated the values, that would be noticed very soon’—which is exactly what happened in Florida,” ICS cybersecurity expert Sarah Fluchs wrote on LinkedIn. “I’m not saying you can’t/shouldn’t defend against attacks like these—just saying the incident is probably not going to shock water utilities as much as the security bubble expects. Water utilities are not clueless regarding cybersecurity, and yes, they likely know about the pitfalls of TeamViewer.”

“Unsophisticated attacks, like what appears to have taken place in Oldsmar [Florida], are easily prevented by following industry standards and best practices such as ISA/IEC 62443 or NIST 800-82,” Cusimano said via email, when asked for additional comments. “We always recommend starting with a vulnerability and risk assessment to understand the vulnerabilities that present the highest operational risk to the organization, and then follow that by preparing a mitigation plan that is prioritized by risk.”

The FBI and the Secret Service were called in to assist with the investigation of the incident, according to an article from Reuters.

A recent study from Claroty (another ISAGCA member company) found that critical infrastructure sectors were most affected by ICS security vulnerabilities reported during the second half of 2020. Among those sectors, water and wastewater saw an increase in disclosed ICS cybersecurity vulnerabilities of 54 percent from the second half of 2019 and 63 percent from the second half of 2018.

Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive weekly emails with links to the latest thought leadership, tips, research, and other insights from automation cybersecurity leaders.

Kara Phelps
Kara Phelps
Kara Phelps was the content manager for ISA from 2019-2021.

Related Posts

Industrial Control Systems Certification

An increasing number of intentional attacks are being detected that target industrial control systems (IC...
Nikhil Kapoor Jun 7, 2024 7:00:00 AM

Most Cybersecurity Teams Are Unprepared for AI Cyberattacks

Cybersecurity teams aren’t the only ones using artificial intelligence to their advantage — cybercriminal...
Zac Amos May 31, 2024 4:02:28 PM

Protecting Vital OT Infrastructure: Key Strategies for OT Penetration Testing

Operational technology (OT) cybersecurity faces significant challenges in maturing its operations and pro...
Mohannad AlRasan May 24, 2024 4:44:16 PM