Just two days before one of the largest annual sporting events in the world—the National Football League’s Super Bowl LV on February 7—a cyber-attacker compromised a remote-access program at a water treatment plant in Oldsmar, Florida, in an attempt to poison the town’s water supply.
Pinellas County Sheriff Bob Gualtieri reported that the unidentified attacker hacked into a remote access program called TeamViewer on February 5. TeamViewer allows users to remotely access computers, and was used at the plant to trouble-shoot parts of the plant’s computerized systems. That morning, a plant employee reportedly noticed that his mouse was moving independently, but didn’t think much about it. Later that afternoon, the employee saw the activity again. This time, the remote hacker had commandeered the mouse to increase the level of lye, or sodium hydroxide, being added to the water, raising it from 100 parts per million to 11,100 parts per million. Sodium hydroxide is used in small amounts to help reduce acidity, manage PH levels and remove metals. Sodium hydroxide also is the primary ingredient in liquid drain cleaners. Used at high levels, the chemical can be dangerous, and could have rendered Oldsmar’s water both unpotable and even dangerous to touch.
The plant employee immediately re-adjusted the levels and alerted his supervisor, who then called the police. The FBI and Secret Service also have been called in to investigate.
At a news conference on February 8, Oldsmar City Manager Al Braithwaite said that the remote access program had been disabled, and that the city will look for a replacement. The identity of the attacker remains unknown, as does the origin of the attack.
This is not the first time that cyber-attackers have tried to compromise a water treatment plant or other critical infrastructure. In April 2020, hackers broke into an Israeli water system and tried to modify the water’s chlorine levels. Then, just two months later, in June 2020, attackers hit two additional Israeli water management facilities. One attack was on agricultural water pumps in Galilee, and the second hit water pumps in the central province of Mateh Yehuda.
Other critical infrastructure also has been attacked. In late 2015, a large section of the Ukraine population suffered power cuts following a series of cyber-attacks on three local energy companies. In 2013, a New York dam located about 50 miles north of Manhattan that is integral to regional flood control was attacked. (Fortunately, the attackers never managed to fully access the dam’s systems.)
The United States recognizes that critical infrastructure is a prime target for cyber attackers. On November 16, 2018, President Trump signed into law the Cybersecurity and Infrastructure Security Agency Act of 2018. This landmark legislation elevated the mission of the former National Protection and Programs Directorate (NPPD) within the Department of Homeland Security (DHS) and establishes the Cybersecurity and Infrastructure Agency (CISA). CISA plays a key role in helping critical infrastructure organizations, both private and public, by providing guidance on protecting against cyber attackers.
Remote access control programs such as TeamViewer, which are known as Operational Technology (OT), play a key role in managing and monitoring systems, and are essential to around-the-clock, 365-day-a-year operations. While OT solutions are invaluable in helping to maintain operations, they also create additional vectors for attackers to gain access and compromise systems. To protect against this risk, organizations need to ensure that their cybersecurity programs and supporting controls are routinely tested for both efficiency and effectiveness.
On July 23, 2020, CISA, along with the National Security Agency (NSA), issued updated critical infrastructure recommendations that included limiting or eliminating remote access. The recommendation states: “Over recent months, cyber actors have demonstrated their continued willingness to conduct malicious cyber activity against critical infrastructure (CI) by exploiting internet-accessible operational technology (OT) assets.” (The full report can be found here: NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems | CISA)
CISA also issued a warning on April 16, 2020 regarding the vulnerabilities of Virtual Private Networks: NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems | CISA.
The cyber-attack in Florida is likely to focus more attention on the need to protect both industrial control systems and supervisory control and data acquisition (SKADA) systems. Notably, the attack also will elicit more attention from cyber-attackers, who are more aware than ever of the vulnerabilities of these systems.
To help mitigate risk, every technology component within the critical infrastructure ecosystem must by routinely assessed and tested.
The Biden administration’s $1.9 trillion COVID-19 bill calls for $9 billion in federal cybersecurity improvements, which includes $690 million for a CISA project that is designed to improve monitoring and response to cyber incidents across government agencies. The Biden administration also is expected to further protections against cyber-attacks by increasing both scrutiny of, and requirements for, cybersecurity regulatory compliance.
Cybersecurity regulatory compliance and foundational practices are required for a solid program and defense against attackers. HKA’s Cybersecurity Team has significant experience and expertise conducting cybersecurity assessments to identify program gaps and weaknesses, as well as providing remediation and implementation support.
About the Author:
Michael Corcione has more than 30 years of experience in advising companies and boards of directors on technology, cybersecurity and privacy and risk management strategies. Over the past decade, he has led the delivery of Virtual Chief Information Security Officer (vCISCO) services for advisory firms, which provide a CISO, along with cyber, privacy, and information security subject-matter experts to organizations of all sizes and verticals. Michael currently consults on regulatory enforcement matters, corporate initiatives and risk management related to cyber and information security, as well as privacy. He is currently a member of the cybersecurity advisory board at Pace University, and a member of the Board of Trustees of the American Management Association International.