Apr 20 2021

Cybersecurity Lessons Utilities Can Learn from the Oldsmar Water Plant Hack

Utilities can take steps to shore up their defenses and protect operational technology from cyberattacks.

While the fallout from the suspected Russian hack of federal agencies and private companies has consumed businesses, another recent cyberattack is reverberating with utilities.

In February, malicious actors attempted to tamper with the water supply of a small Florida city by hacking into a water treatment plant in Oldsmar, Fla. The attackers attempted to increase the level of lye in the city’s drinking water to dangerous levels but were quickly spotted, and the attack was mitigated before any changes were made to the water.

Though local officials hailed the response as proof that redundant controls worked, cybersecurity experts say the attack exposed the vulnerability of utilities to cyberattacks. The Oldsmar attack, they say, was not that sophisticated and easily could have ended in disaster.

A more savvy attacker could penetrate other utilities, and experts say that the Oldsmar incident should serve as a wake-up call to operators of public and private utilities — especially water utilities — to boost their cybersecurity controls. 

That includes initiatives such as separating operational technology even more from IT and internet networks, enhancing password security and authentication at such facilities and updating old software to newer and more secure versions.

Anatomy of the Olsdmar Water Plant Attack

The FBI, Department of Homeland Security, U.S. Secret Service and the Pinellas County Sheriff’s Office are investigating the attack in Olsdmar; it is unclear where the attack originated from and what the motivations of the attacker or attackers were.

According to a Massachusetts state cybersecurity advisory describing FBI findings on the attack, on Feb. 5 unidentified malicious actors “obtained unauthorized access, on two separate occasions, approximately five hours apart, to the supervisory control and data acquisition (SCADA) system” used at the plant.

They accessed the SCADA system “via remote access software” that “was installed on one of several computers the water treatment plant personnel used to conduct system status checks and to respond to alarms or any other issues that arose during the water treatment process.”

According to ProPublica, the utility had actually stopped using the remote access software six months earlier but had never disconnected it.

Alarmingly, according to the advisory, all computers used by personnel at the Olsdmar plant were connected to the SCADA system and used an outdated, 32-bit version of the Windows 7 operating system. Even more worrisome: The Massachusetts advisory states, “computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.”

When the attacker took over a computer and changed the amount of sodium hydroxide in the water from 100 parts per million to 1,100 parts per million, a plant operator alerted his boss. The worker lowered the levels of sodium hydroxide, and the city called the county sheriff’s office three hours later, ProPublica reports. 

WATCH: Learn how to defend your infrastructure in today's IT landscape.

What Utilities Can Learn About Cybersecurity

Large utilities often have robust cybersecurity protections, but smaller water and electric power utilities and other small critical infrastructure providers do not. That makes them easy targets, experts say.

“These are the targets we worry about,” Eric Chien, a security researcher at Symantec, tells The New York Times. “This is a small municipality that is likely small-budgeted and under-resourced, which purposely set up remote access so employees and outside contractors can remote in.”

There are several steps that utilities should take to harden their cybersecurity in the wake of the attack, according to experts.

They should update any software they use to the latest version; deploy multifactor authentication; use strong passwords to protect Remote Desktop Protocol credentials; and ensure anti-virus systems, spam filters and firewalls are up to date, properly configured and secure.

Utilities should also take steps to secure any remote access software they use. They should not use unattended access features, and IT leaders should configure the software such that the application and associated background services are stopped when not in use. They should also use a strong random-password generator to create 10-character alphanumeric passwords.

Water and wastewater plant operators, according to an FBI alert, should also install independent cyber-physical safety systems. “These are systems that physically prevent dangerous conditions from occurring if the control system is compromised by a threat actor,” the alert notes. Separating SCADA and operational technology systems from IT systems and networks is crucial.

“Restrict all remote connections to SCADA systems, specifically those that allow physical control and manipulation of devices within the SCADA network,” the Massachusetts advisory states. “One-way unidirectional monitoring devices are recommended to monitor SCADA systems remotely.”

Cyber-physical safety system controls include the size of the chemical pump, chemical reservoir, gearing on valves and pressure switches.

“The benefit of these types of controls in the water sector is that smaller systems, with limited cybersecurity capability, can assess their system from a worst-case scenario,” the FBI alert notes. “The operators can take physical steps to limit the damage. If, for example, cyber actors gain control of a sodium hydroxide pump, they will be unable to raise the pH to dangerous levels.”

iamfat42/Getty Images