By Ben Taylor
On 05 Feb, unidentified cyber actors accessed the supervisory control and data acquisition (SCADA) system of a drinking water treatment plant in Oldsmar, Florida. Investigators have noted the cyber actors likely gained access by exploiting cybersecurity vulnerabilities at the utility, including poor password security and possibly using leaked credentials found in a data breach. Additionally, they’ve observed the desktop sharing software “TeamViewer” may have been used to access the system. Once the system was accessed, the intruders manipulated the level of sodium hydroxide, also known as lye or caustic soda, from a setting of 100 parts per mission to 11,100 parts per million. The incident showed similarities to attacks in 2020 against Israeli water and wastewater infrastructure.”
At high levels, sodium hydroxide can severely damage human tissue. It is the main ingredient in liquid drain cleaners, but at low levels is used to control water acidity and remove metals from drinking water. Potential harm to the local community was prevented by a quick response from the operator on duty, who immediately noticed and reversed the change and alerted supervisors. Even without this timely response, other security measures and factors likely would have prevented the change from taking effect and any tainted water from being introduced into the distribution system. Furthermore, officials noted it would have taken 24-36 hours for the water to reach the distribution system.
While wide-spread harm to the population was avoided in this event, it poses a perfect example of the dangers that blended threats can pose. A Blended Threat is a natural, accidental, or purposeful physical or cyber danger that has or indicates the potential to have crossover impacts and harm life, information, operations, the environment, and/or property. We have been writing on the dangers and impacts of blended threats for several years. In reference to the Israeli attacks mentioned earlier, Israel’s National Cyber Chief Yigal Unna noted “Rapid is not something that describes enough how fast and how crazy and hectic things are moving forward in cyberspace and I think we will remember this last month and May 2020 as a changing point in the history of modern cyber warfare… we can see something like this aiming to cause damage to real life and not to IT or data.”
In this incident, a more impactful outcome was avoided but one can imagine the ways this could have gone very badly as individuals potentially could have become ill and with cascading effects as water was further distributed to facilities for use by people or in operations. Blended threats to critical lifelines and vital services have been demonstrated in water, communications, healthcare and in other areas of critical infrastructure and will continue to be seen throughout our environment as we continue to become increasingly connected.
Fortunately, there are actions and best practices that can be taken to mitigate cyber threats and the risks associated with blended threats.
Prevention & Mitigation
In 2019 WaterISAC, which monitors security incidents in the sector and advises water and wastewater utilities on threats and best practices for preparedness, published the 15 Cybersecurity Fundamentals for Water and Wastewater Utilities, which was a revamp of the original document published in 2012 and updated in 2014 and 2016. The guide presents best practices that water and wastewater utilities can implement to reduce security risks to their IT and OT systems. Below we will highlight a few of those best practices that were on display during the incident on the Oldsmar plant, as well as areas for improvement to enhance resiliency.
Demonstrated Best Practices
- Install independent cyber-physical safety systems
As indicated in the reporting, the system had built in redundancies where the increase of chemical concentration would have been identified and halted prior to reaching the public.
- Participate in Information Sharing and Collaboration Communities
Response to the incident has been a collaborative effort from the utility itself, to local/state/federal government entities, as well as the private sector. Within days of the attack WaterISAC and its partners, including the industrial control system cybersecurity company Dragos, conducted a webinar to highlight what was known about the attack, lessons learned, and protective strategies against similar incidents.
Areas for Improvement
- Minimize Control System Exposure
Completely isolating a control system may not be feasible. Connections are difficult to avoid given the need for remote system access by vendors and staff as well as the need to export control system data for regulatory and business purposes. Below are several resources for minimizing exposure.
- Enforce User Access Controls
In light of reports referencing both data breaches and TeamViewer, utilities should review user access controls, particularly as it relates to role-based access control, password hygiene, and secure remote-access.
Along with operational security actions, organizations are always encouraged to take proactive actions via preparedness: develop appropriate plans and procedures, conduct training and education, and exercise. Need help? Among other ways we’re eager to assist, Gate 15 has robust experience planning and conducting exercises at all levels across the critical infrastructure community with private and public sector organizations.
Understand the Threats.
Assess the Risks.
Take action! Our team is here to help you build the relationships and capabilities you need and to assist in the development of plans, training, and exercises to support your ability to prevent, protect against, mitigate, respond to, and recover from the threats and hazards that pose the greatest risk to your organization in our complex, all-hazards environment.