Cyber Defense Magazine Special Annual Edition for RSA Conference 2021

Over the last few months, cybersecurity journalists and the ICS security community have been discussing
the Oldsmar Florida water system cyber-attack and other similar attacks on water infrastructure, almost
ad nauseam. While many people have been talking about this “news” topic, we’ve actually been treating
this issue with many of our customers over the past few years. In this article, I will explain what we’ve
learned from this cyberattack, but most importantly, I will share how we’ve been busy solving these issues
over the last few years with actual examples from our range of industrial cybersecurity products.
The Oldsmar Water Facility Attack
Back in February 5th, a hacker gained access into the water treatment system of Oldsmar, Florida, and
hijacked the plant’s operational controls. He was able to temporarily drive up the sodium hydroxide
content in the water to poisonous levels. The Oldsmar facility is the primary source of drinking water for
the city’s 15,000 residents. Luckily, a plant operator was able to return the water to normal levels. The
incident has nonetheless launched many conversations about the state of security in global critical
infrastructure.
But that wasn’t the whole story.
A security advisory released in March by the state of Massachusetts’s Department of Environmental
Protection, referred to additional unsafe practices or behaviors at the Oldsmar water treatment plant that
significantly increased the risk further. Like many other facilities of its kind, Oldsmar uses a SCADA
(Supervisory Control And Data Acquisition) system that allows staff to monitor and control conditions
within the facility. At the same time, the staff was using TeamViewer, a fairly common remote access
program, which can be used to monitor and control systems within the SCADA network. Sadly,
cybersecurity was not a priority for the facility, as is the case occasionally with critical infrastructure. Not
only was the Oldsmar facility using Windows 7 - an outdated software that is no longer supported by
Microsoft, but all of their employees shared the same password to access TeamViewer. Additionally, the
facility was connected directly to the internet without any type of firewall protection installed.
The Current Situation with Water Systems
In the United States alone, there are about 54,000 distinct drinking water systems. The vast majority of
those systems serve less than 50,000 residents. They mainly rely on some type of remote access to
monitor and/or administer their facilities. Many of their facilities are also unattended, underfunded, and
do not have someone watching the IT operations 24/7. Finally, many facilities have not separated their
OT (operational technology) networks from their safety systems that are in place in order to detect
intrusions or potentially dangerous changes by threat actors.
While the attempt was spotted and taken care of by a plant operator before it could do any damage, it
raises questions about how serious a threat this sort of terrorist or nation-state action could be in the
future.
25