Advisen

'Bad actors are out there': Cyber experts have long warned of an attack on water supply systems

By Erin Ayers

The announcement of a Feb. 5 cyberattack on a public drinking water supply in Florida, an event that could have been much worse, illustrates the gaps in critical infrastructure cybersecurity and the need for full visibility across industrial control systems.

In a press conference on Feb. 8, Pinellas County Sheriff Bob Gualtieri shared details of the attack, explaining that someone remotely accessed the water treatment system for the city of Oldsmar, Fla. They were able to briefly change the levels of sodium hydroxide, also known as lye, from 100 parts per million to 11,100 parts per million.

The hacker appears to have been able to infiltrate the city’s water system via TeamViewer, a remote desktop software. According to Gualtieri, at 8 a.m. on Friday morning, a city employee noticed someone accessing the remote system and at first didn’t think anything of it, since water workers regularly access the system remotely. Upon seeing the change in chemical content about five hours later, the plant supervisor quickly readjusted the levels and shut off remote access.

Sheriff Gualtieri said law enforcement officials don’t know why Oldsmar, a city with 15,000 residents near Tampa, was targeted, but they are investigating the event. He and other city officials stressed the many “redundancies” in the system that would have caught the change before the water went out to the public drinking water system.

For Oldsmar’s city officials, the key goal was to get the information out there and warn others.

“These kinds of bad actors are out there. It’s happening, so really take a hard look at what you have in place,” said Oldsmar’s mayor, Eric Seidel, during the press conference.

The event wasn’t an accident, Sheriff Gualtieri emphasized, adding, “It’s a bad act. It’s a bad actor.”

“In order to get into the system, somebody had to use some pretty sophisticated ways of doing it,” he said. “It’s the primary ingredient in liquid drain cleaners. It’s lye. If you put that amount of that substance into the drinking system, it’s not a good thing.”

Instances of industrial control system vulnerabilities are on the rise, with manufacturing, energy, water and wastewater plants among the most affected, according to a recent report from Claroty. In the first half of 2020, 449 vulnerabilities that could impact industrial systems were disclosed.

“Attacks against ICS devices and OT networks tend to be targeted. While ICS and SCADA vulnerability research is maturing, there are still many decades-old security issues yet uncovered,” said researchers at Claroty.

Dragos, a firm specializing in industrial and operational cybersecurity, applauded the city of Oldsmar for its transparency about the attack and offered some insight into remote access for critical infrastructure.

TeamViewer is a legitimate software but may not always be authorized in industrial environments, Dragos said in a blog post. Visibility across industrial environments is essential, the firm said.

“Had the operator not observed the attacker actively manipulating the screen, it is possible that several other mechanisms in the water treatment plant control and monitoring system would have alerted plant staff to the condition. However, it is also entirely possible that this action could have resulted in people getting sick or potentially even death,” said Dragos, adding, “Even these safeguards are not adversary proof.”

The event also highlights the ongoing threats facing municipalities, according to Jeremy Turner, head of threat intelligence at Coalition.

“Municipalities are targets largely due to their tech debt; technologies that were established a long time ago and have not been maintained, or in some cases, they may be unaware that they even exist,” Turner told Advisen in an email. “Older organizations with strained IT budgets like universities, hospitals, and municipalities are prime targets for this reason. Cyberattacks that have real-world impacts on physical systems or safety are a growing concern.”

The city of Oldsmar may not have properly protected its systems from outsiders, Turner added, explaining that a network scan of the municipality’s public-facing protections indicated some vulnerabilities.

“The first step they should take is to ensure that these controls are not accessible from the internet,” he said. “We do expect to see more cyberattacks causing physical harm, which was one of the primary motivators behind us adding coverage for these types of events. Attack patterns follow vulnerability patterns, the more connected systems of a certain kind -- like these control systems -- the more likely it is that attackers will target these systems.”

American Water Works Association (AWWA) CEO David LaFrance called the event a “jarring reminder” of the cyber threats facing water infrastructure.

“We live in a world where cyber intrusions are increasingly common in our personal and professional lives,” he said in a statement. “Given the essential nature of water service, it's well known that water infrastructure -- and water treatment plants of all sizes -- are potential targets of people with bad intentions.”

LaFrance highlighted the fact that a “vigilant water operator” was able to thwart the attack and added, “The incident makes clear to all water utilities and governing boards that they must take action to prevent or discourage similar attacks.”

Editor Erin Ayers can be reached at erin.ayers@zywave.com