On February 5, 2021, a hacker remotely accessed a Florida city’s water treatment network and increased the level of sodium hydroxide (lye) in the water supply.
The attack on the City of Oldsmar’s water supply system is a stark reminder that critical infrastructure organizations must prepare for and defend against similar attacks.
The incident underscores the need for utilities, oil and gas providers, and other owners of critical infrastructure to monitor their operational technologies (OT) and industrial control systems (ICS), and secure remote access as part of a robust security program.
It is not a matter of “will it happen?”; rather, it is a matter of “when will it happen?”.
When critical infrastructure and the computer systems that run and manage it are exposed to the internet, the risks of compromise increase dramatically.
Utilities and other owners and operators of critical infrastructure (commercial facilities, communications, energy, financial services, information technology, and financial systems) must assess and limit those risks.
As the Oldsmar attack demonstrates, effective monitoring and secure remote access are two key components of an effective security program. All owners and operators of critical infrastructure must continuously and rigorously implement and update their security programs.
How the Attack Occurred
The computer system at the City of Oldsmar water treatment plant allows for remote access so authorized users can troubleshoot problems from other locations. A plant operator noticed a remote access user opening various functions in the plant computer system that control the amount of sodium hydroxide in the water. The hacker then changed the level of sodium hydroxide from 100 parts per million (ppm) to 11,100 ppm.
The operator immediately changed the setting back to the normal 100 ppm. According to the Pinellas County Sheriff, other routine procedures would have caught the increased level before the water supply became available to residents.
The remote access program (TeamViewer) has had a number of known vulnerabilities.
The National Security Agency (NSA) and the Cybersecurity & Infrastructure Security Agency (CISA) have issued an alert with several recommended actions to reduce external exposure and minimize risks to OT and ICS.
Have a Resilience Plan for Operational Technologies
- Disconnect systems from the internet that do not require internet connectivity for operations.
- Remove functionalities that could increase risk and attack surface area.
- Test and validate data backups and processes.
Exercise Your Incident Response Plan
- Conduct tabletop exercises, including executive personnel, to test existing incident plans.
- Partner with third parties for support. Review service contracts with third parties for emergency incident response and recovery support.
Harden Your Network
- Remote connectivity to OT networks and devices is a known path for exploitation, as described above. Reduce external exposure as much as possible.
- Ensure all communications to remote devices use a virtual private network (VPN) with strong encryption and multifactor authentication.
- Fully patch all internet-accessible systems, including the third-party software on those systems.
Implement a Continuous and Vigilant System Monitoring Program
- Log and review all authorized external access connections for misuse or unusual activity.
- Monitor for unauthorized controller change attempts.
Our Privacy, Cybersecurity and Data Management Team will continue to share the latest developments and provide insights on this issue.