An increasingly wired world offers new targets of opportunity for cybercriminals. One of the most recent examples is a hacker’s thwarted attempt to poison a Florida city’s water supply. Unfortunately, this infrastructural cyberattack wasn’t the first, and it won’t be the last.
In early February, an unidentified person or persons breached the supervisory control and data acquisition (SCADA) system of a water treatment facility in Oldsmar, Florida. According to the Cybersecurity & Infrastructure Security Agency (CISA), the hacker or hackers used the SCADA system to increase the water’s lye content to potentially deadly levels. Luckily, a plant employee saw his mouse cursor moving and the lye levels change. The employee reversed the changes and alerted his supervisor, who then alerted the authorities.
The ensuing investigation has revealed a comedy of cybersecurity errors. The plant was using Windows 7, which is no longer supported by Microsoft, leaving it wide open to hackers. Furthermore, all employees were using the same credentials to access the SCADA system. And finally, the plant was using TeamViewer, a piece of remote access software that they left unsecured and dormant, so employees could monitor the system offsite.
Why this is a big deal
This one instance is bad enough. The Oldsmar plant supplies water for about 15,000 people. What’s chilling is that cybersecurity missteps here are typical of not just water systems, but infrastructural systems nationwide. Krebs on Security reports that nearly all drinking water systems rely on some form of remote access. And, if you’ve been to any municipal offices lately, it’s apparent that most are understaffed and underfunded. It’s not surprising that a few would be running an outdated OS, such as Windows 7.
According to a 2020 Journal of Environmental Engineering study, water systems in the U.S. have been hacked at least 15 times—that we know about. It’s a fair assumption that some hacks go undetected and/or unreported. But it’s not just water treatment systems that should concern us.
Things got messy in 1999 when a disgruntled former sewage treatment plant employee broke into the plant’s SCADA system and dumped about 200,000 gallons of sewage into the Australian Shire of Maroochy. In 2016, Iranian hackers tried to take control of a small dam in Port Chester, New York. American and European nuclear power plants, water, and electric systems became targets of Russian cyberattacks in 2018. This was a technique they perhaps perfected with a similar attack in 2016 on the Ukrainian power grid.
What’s next? Attacks targeting automated passenger or freight trains, gas pipelines, or air traffic control towers are all within the realm of possibility. Historically, the hackers behind such attacks on soft targets are shrouded in anonymity. They could be rogue employees, bored kids, or even nation states, which appears to be the situation with FireEye/SolarWinds hack. All of these factors likely will lead to copy-cats.
The hard truth here is that the U.S. couldn’t defend any of the aforementioned attacks at scale. According to CISA, there are about 153,000 public drinking water systems in the U.S., supplying about 80 percent of the nation’s water. Seventy-five percent of Americans rely on 16,000 public water treatment systems. Many of these facilities are open to multiple angles of attack, including attacks on the physical facilities, denial of service, contamination, or a combination of any and all.
There’s little incentive for these facilities to upgrade their existing systems, as well. Many simply do not have modern alternatives. For example, Signaling System Number 7, (SS7) has been in use since 1975 as a set of protocols for phone network information exchange. It works well, so we don’t upgrade it. Except it’s easily hacked. The same goes for mobile SMS service. How many water treatment plants, for example, rely on phone communication? How many treatment-plant employees rely on SMS?
This doesn’t even touch on the dated systems in use in these facilities, lack of robust IT and cybersecurity support, and simple ignorance of best security practices. The issue quickly scales beyond the capabilities of the Department of Homeland Security and the U.S. Computer Emergency Readiness Team’s ability to address.
There are some important lessons here that can be applied across industries. First, the basics:
- Update to a supported operating system with the latest security patches .
- Use multiple-factor authentication (that doesn’t leverage SMS).
- If your company is using a remote desktop protocol, use strong, user-specific passwords.
- All antivirus, spam filters, and firewalls must be current and properly configured.
- If you have a system that can’t be updated, such as a SCADA, make sure it’s isolated.
- Implement security in your processes. Many attacks can be thwarted by good human processes, oversight, and accountability.
- Finally, implement mandatory user security awareness training for all users on an ongoing basis to educate your users on fundamental subjects like password security, and how to spot social engineering attempts.
The CISA recommendations for water and wastewater security offer important insights for other industries as well. For example, CISA calls for independent cyber-physical safety systems. In the case of the Florida water plant, there was a system in place that would have prevented lye levels from reaching a critical volume.
According to CISA, it’s also critical to implement industrial control system (ICS) security patches, which close known vulnerabilities. Furthermore, any ICS connections should be mapped, secured, and kept to a minimum as each is a potential avenue of attack. Other important recommendations from CISA include consistent data backups, constant security monitoring, and discontinuing the use of unnecessary services, protocols, and ports.
This also happens to be an area in which working with a proven cybersecurity firm to perform a penetration test, which identifies network vulnerabilities, as well as create a disaster recovery and response plan, will go a long way to protect you.
If your company works in the industrial sector, the implications are clear: The health and safety of thousands are at stake when attackers strike. Be proactive putting best practice cybersecurity controls between you and your customers, and would-be criminals. Don’t wait for the copy-cat attacks to start.