Attacks on industrial control systems (ICS) are not new. Earlier, a report from industrial cybersecurity firm Claroty suggested that around 70% of the ICS vulnerabilities discovered in the first half of 2020 could be exploited remotely. That said, the intrusion attempt in the city of Oldsmar’s water supply is “Dangerous Stuff,” as rightfully quoted by Sheriff Bob Gualtieri of Pinellas County, Florida.
How Cybercriminals Attempted Poisoning the Entire City
On the morning of February 5, around 8 a.m., an employee of Oldsmar city’s water treatment plant observed his cursor moving around the screen. It did not raise any eyebrows since his supervisor accessed his system remotely using TeamViewer software for urgent maintenance work and IT issues. The random cursor movement stopped in some time. However, nearly five hours later, the cursor started moving again and, this time, he could see someone remotely accessing the software, which controlled the chemicals used in treating the water before it is supplied to the entire city.
The employee saw the intruder changing the sodium hydroxide levels of the water supply from 100 parts per million to more than 11,100 parts per million. Sodium hydroxide is a chemical compound (also known as lye), which, if used in lower concentrations, regulates the acidity or – in a geeky language – the pH level of water, making it potable for domestic use and drinking. However, this compound needs to be controlled and regulated since its higher concentration can even damage human tissues permanently, within minutes.
This is probably what the intruders of Oldsmar city wanted. However, the alert employee quickly took control of the system and brought the sodium hydroxide level back to 100 parts per million. The entire episode lasted merely between 3-5 minutes, and as Sheriff Gualtieri informed, it did not cause any harm to the water supply. The water treatment plant has uninstalled TeamViewer since the attack.
Gualtieri also informed that the poisoned water would not have reached the city taps of 15,000+ residents and local businesses before 24 hours. And, in the meanwhile, the pH sensors of the water supply plant would have triggered the alarms, which have been specifically designed to detect and tackle such scenarios. Eric Seidel, Mayor of Oldsmar, said,
The protocols that we have in place, monitoring protocols, they work — that’s the good news. Even had they not caught them, there’s redundancies in the system that would have caught the change in the pH level.
Addressing the cyberattack, Senate Marco Rubio tweeted by saying, “This should be treated as a matter of national security.”
This should be treated as a matter of national security.
— Marco Rubio (@marcorubio) February 8, 2021
Considering the gravity of the attack, federal agencies have been asked to jointly investigate with the local law enforcement authorities and find the perpetrator. Since the plant’s OT systems were externally accessible, Gualteri added, “If you’re connected, you’re vulnerable.”
What Experts are Saying
Chris Risley, CEO at Bastille Networks exclusively told CISO MAG that “The water treatment system hack is troublesome because this underscores how vulnerable cities are to critical infrastructure intrusion. There’s widespread recognition of the need to eliminate potential intrusions and attacks, but limited adoption and enforcement of security policies to combat bad actors.” Risley further added that his “company’s research and discoveries related to MouseJack, KeySniffer, and KeyJack validate the thesis that the IoT is already being rolled out to individuals and enterprises with wireless protocols that have not been through sufficient security vetting. As a result, he expects millions of devices to be vulnerable to currently undiscovered attacks.”
What’s Our Viewpoint
Agreeing with both Gualtieri and Risley, we think that OT systems are critical infrastructure. And hence, they should never be open on the internet or be accessible to any other external network. Remote access to these systems – through TeamViewer or any other software – should be avoided completely.
Lastly, humans have always been labeled as the “Weak links” in cybersecurity. However, in this case, a human turned out to be a stronger link and averted potentially deadly consequences. This incident serves as a good example and highlights the importance of training for ICS cybersecurity. To have a look at the training programs designed to counter industrial cybersecurity threats, click here.
Note: Updated the Expert’s Quotes on February 10, 2021.