Anatomy of the Olsdmar Water Plant Attack
The FBI, Department of Homeland Security, U.S. Secret Service and the Pinellas County Sheriff’s Office are investigating the attack in Olsdmar; it is unclear where the attack originated from and what the motivations of the attacker or attackers were.
According to a Massachusetts state cybersecurity advisory describing FBI findings on the attack, on Feb. 5 unidentified malicious actors “obtained unauthorized access, on two separate occasions, approximately five hours apart, to the supervisory control and data acquisition (SCADA) system” used at the plant.
They accessed the SCADA system “via remote access software” that “was installed on one of several computers the water treatment plant personnel used to conduct system status checks and to respond to alarms or any other issues that arose during the water treatment process.”
According to ProPublica, the utility had actually stopped using the remote access software six months earlier but had never disconnected it.
Alarmingly, according to the advisory, all computers used by personnel at the Olsdmar plant were connected to the SCADA system and used an outdated, 32-bit version of the Windows 7 operating system. Even more worrisome: The Massachusetts advisory states, “computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.”
When the attacker took over a computer and changed the amount of sodium hydroxide in the water from 100 parts per million to 1,100 parts per million, a plant operator alerted his boss. The worker lowered the levels of sodium hydroxide, and the city called the county sheriff’s office three hours later, ProPublica reports.
What Utilities Can Learn About Cybersecurity
Large utilities often have robust cybersecurity protections, but smaller water and electric power utilities and other small critical infrastructure providers do not. That makes them easy targets, experts say.
“These are the targets we worry about,” Eric Chien, a security researcher at Symantec, tells The New York Times. “This is a small municipality that is likely small-budgeted and under-resourced, which purposely set up remote access so employees and outside contractors can remote in.”
There are several steps that utilities should take to harden their cybersecurity in the wake of the attack, according to experts.
They should update any software they use to the latest version; deploy multifactor authentication; use strong passwords to protect Remote Desktop Protocol credentials; and ensure anti-virus systems, spam filters and firewalls are up to date, properly configured and secure.
Utilities should also take steps to secure any remote access software they use. They should not use unattended access features, and IT leaders should configure the software such that the application and associated background services are stopped when not in use. They should also use a strong random-password generator to create 10-character alphanumeric passwords.
Water and wastewater plant operators, according to an FBI alert, should also install independent cyber-physical safety systems. “These are systems that physically prevent dangerous conditions from occurring if the control system is compromised by a threat actor,” the alert notes. Separating SCADA and operational technology systems from IT systems and networks is crucial.
“Restrict all remote connections to SCADA systems, specifically those that allow physical control and manipulation of devices within the SCADA network,” the Massachusetts advisory states. “One-way unidirectional monitoring devices are recommended to monitor SCADA systems remotely.”
Cyber-physical safety system controls include the size of the chemical pump, chemical reservoir, gearing on valves and pressure switches.
“The benefit of these types of controls in the water sector is that smaller systems, with limited cybersecurity capability, can assess their system from a worst-case scenario,” the FBI alert notes. “The operators can take physical steps to limit the damage. If, for example, cyber actors gain control of a sodium hydroxide pump, they will be unable to raise the pH to dangerous levels.”