Cybersecurity Snapshots #15 - Attacks Against the Nation's Water Systems

Cybersecurity Snapshots #15 -

Attacks Against the Nation's Water Systems

A threat actor recently remotely accessed the IT system of the water treatment facility of Oldsmar, Florida, and tried to poison the town's water supply by raising the levels of sodium hydroxide, or lye, in the water supply. The hacker's attempt to damage the water treatment plant raises alarms about just how vulnerable the nation's water systems may be to attacks by more sophisticated intruders. Water treatment plants are typically cash-strapped and lack the cybersecurity depth of the power grid and nuclear plants.

According to local authorities, the water treatment facility's breach in Oldsmar, Florida, occurred just two days before the NFL's Super Bowl LV was held nearby in Tampa. An operator at the plant first noticed a brief intrusion Friday, Feb. 5, around 8:00 a.m. Someone remotely accessed the computer system that controls chemical levels in the water and other operations while the operator was monitoring it. The operator "didn't think much of it" because it's normal for his supervisors to use the remote access feature to monitor his computer screen at times. However, around 1:30 p.m., the computer system was again accessed remotely. The operator observed the mouse moving around on the screen to access various systems that control the water being treated. During the second intrusion, which lasted three to five minutes, the intruder changed the level of sodium hydroxide in the water from 100 parts per million to 11,100 parts per million, which is a significant and potentially dangerous increase. Sodium hydroxide, also known as lye, is the main ingredient in liquid drain cleaners and is used to control water acidity and remove metals from drinking water in water-treatment plants. Fortunately, the operator quickly changed the level back to normal after the intrusion and alerted supervisors, who then contacted the Pinellas County Sheriff's Office. The FBI and U.S. Secret Service are investigating the incident to discover who was behind the attack. At this time, authorities have leads but have not identified a suspect, nor do they know if the attack came from inside the United States or outside the country.

CISA, the FBI, EPA, and MS-ISAC have recently confirmed the hackers used the desktop sharing software TeamViewer to gain access to the city's water system. All of the computers with this remote access tool were discovered using the same password for accessing the water system. A firewall was also not implemented.

A local sheriff's startling announcement that the water supply of Oldsmar, population 15,000, was briefly in jeopardy exhibited uncharacteristic transparency. Suspicious incidents are rarely reported and usually are made to seem like mechanical or procedural errors, experts say. No federal reporting requirement exists, and state and local rules vary widely.

Principal incident responder at Dragos Security Lesley Carhart stated that it had been well known for a long time that municipal water utilities are extraordinarily underfunded and under-resourced, which makes them a soft target for cyberattacks. Lesley Carhart, who specializes in industrial control systems, also stated that she works with many municipal water utilities for small, medium, and large-sized cities, and all of them have a very small IT staff. Some of them have no dedicated security staff at all.

Bonnifer Ballard, director of the Michigan Section of the American Water Works Association, stated that the Florida incident had grabbed water plant operators' attention. Ballard stated that such a breach is technically possible at water plants in Michigan, but safeguards are in place, and cybersecurity audits are required by federal law. She stated that breaches like the one in Florida are unlikely to succeed because even small water systems have humans who monitor treatment levels. Employees at water plants are trained to spot and respond to irregularities. The Florida plant had safeguards that would have detected the chemical alteration in 24 to 36 hours. Water goes to holding tanks before reaching customers and would have been caught by a secondary chemical check. Jake Williams, CEO of the cybersecurity firm Rendition Infosec, stated that engineers have been creating safeguards "since before remote control via cyber was a thing," making it highly unlikely the breach could have led to "a cascade of failures" tainting Oldsmar's water.

The Michigan Department of Environment, Great Lakes and Energy (EGLE) urged water plants to check the security protocols they have in place. The EGLE stressed awareness and pushed water plants to ensure they have security protocols to avoid such a breach such as what happened in Florida. The EGLE stated that if the water plant allows some level of remote monitoring and operation of the facilities, they suggest adding additional safeguards like establishing chemical dosage limits, eliminating equipment overrides, and reducing controls on systems to minimize the impact of this type of security breach.

CISA recently provided recommendations on how to securely implement TeamViewer software, such as setting random passwords to generate 10-character alphanumeric passwords. They also provided recommendations for bolstering water and waste treatment systems security, including installing independent cyber-physical safety systems. They also recommend water treatment facilities enable multi-factor authentication, use strong passwords to protect remote desktop protocol credentials, implement firewalls, and use the most up-to-date operating system. 

A new 2020 paper in the Journal of Environmental Engineering found that water utilities have been hacked by various intruders, including amateurs just poking around, disgruntled former employees, cybercriminals looking to profit, and state-sponsored hackers. Although such incidents have been relatively few, that does not mean the risk is low and that most water systems are secure. There has been an increase in the frequency, diversity, and complexity of cyberthreats to the water sector. Although the emergence of new threats, such as ransomware or cryptojacking, was found, a recurrence of similar vulnerabilities and threats, such as insider threats, was also evident, emphasizing the need for an adaptive, cooperative, and comprehensive approach to water cyberdefense.