- February 19, 2021
- Posted by: paul lepkowski
- Category: Information Security
On Friday, February 5, 2021 in Oldsmar, Florida, a hacker took control of a computer at the local water treatment plant. The attacker was able to remotely control the computer and adjust the levels of lye (a caustic chemical used in treating the water). Fortunately, an alert operator saw this occur and was able to quickly reverse the changes before damage was done. This could have easily resulted in the poisoning of the water supply.
What does this prove?
It demonstrates that for many water systems, and other utilities, severe vulnerabilities exist that can threaten the safety of our water. Cash strapped municipalities often do not have the money or the expertise to determine the security issues and then actually fix them. This attack was not sophisticated.
It was the result of a stolen username and password for remote control software that can be accessed over the internet. Routine security vulnerability checks done by qualified security professionals could likely have pinpointed this issue before it could have been exploited. Fortunately, for the town of about 15,000 people, no one was injured and dangerous levels of lye were not introduced into the water supply.
What can be done? There are a few lessons to be learned from this.
- The attack was attributed to a password for remote access software that was shared amongst several users. The sharing of passwords is definitely not a good security practice.
- The computer was running Windows 7, which is obsoleted from Microsoft and no longer receives security updates. Always use systems that are able to get up-to-date security updates.
- Critical infrastructure needs a security plan that is reviewed and updated regularly.
- Periodic security testing is vital as attackers are getting more and more sophisticated.
- Modern security controls need to be implemented and maintained to help keep these vital systems safe. These include:
- Separating critical networks from administrative networks
- Implement modern application aware firewalls
- Implement modern intrusion prevention systems (IPS)
- Implement Security Information Event Management (SIEM) systems to monitor alarms and events
- Have a specialized security firm do a yearly security assessment. This should include a vulnerability assessment and a penetration test.
- Zaviant Consulting can assist with any of these needs.
These type of attacks are likely to continue to increase.
Critical utilities such as water and power are vulnerable due to several risk factors. These include the aging of the systems and the fact that they were designed and built years before the modern cyber security threats of today were even in existence.