Behind the News: Cyber Attack on Florida Water Treatment Facility
By Alon Shekalim, Cyber Security Researcher at Radiflow
Description of the Incident
On February 5, 2021, a hacker carried out an attack on an Oldsmar, Florida water treatment facility, whereby the level of sodium hydroxide was modified from 100 to 11,100 parts per million. At this time the identity of the attacker is still unknown, despite the investigative efforts of US law enforcement.
The attacker gained access to the plant’s control system using TeamViewer, a remote access program used by the plant’s engineers to monitor networked devices and adjust their settings remotely. An operator monitoring the plant console noticed abnormal cursor movement as the hacker went on changing the sodium hydroxide level setting, and manually reversed the setting back to normal.
Fortunately, the operator was alert and aware; otherwise, thousands of Oldsmar residents would have been affected by poisoned water.
Cybersecurity Incidents in the Water Sector
According to ICS-CERT, the Water and Wastewater Sector (WWS) is the third most targeted sector among critical lifeline infrastructures. WWS sites, by and large, are gradually migrating to IP-based network and advanced cellular connectivity infrastructure, thus improving operational efficiency and allowing remote maintenance and operations. However, the increased connectivity has led to an influx of cyber threats.
While many of the attacks on WWS in recent years haven’t been made public, some did reach the news:
- In 2018, our own Radiflow intrusion detection system discovered crypto-mining malware in the OT network of one of our water infrastructure customers.
- Other water facilities were subject to ransomware attacks including Jacksonville, NC-based ONWASA and the Fort Collins-Loveland, CO Water District.
- In addition, in 2020, an Iranian state-sponsored actor targeted water treatment systems in Israel showing same modus operandi – using the remote access software used by the Israeli water facility as point of entry, and manipulating chemical values by hacking facilities’ management stations (HMIs).
The good news is that we have been noticing increased awareness toward the need to protect WWS facilities, as well as other nationally-critical infrastructures, by means of performing cyber risk assessments, securing remote access, applying network segmentation and developing incident management capabilities.
This is manifested in both the extent of implementing cybersecurity risk management and continuous OT security monitoring, and the emergence of governing regulations and standards in water and wastewater facilities:
- In the US, community (drinking) water systems serving more than 3,300 people are required to develop or update their risk assessments and emergency response plans, including those related to cyber-security.
- In the UK, the NCSC has developed the Cyber Assessment Framework which provides cyber security guidance for vital service organizations.
- In France, sensitive infrastructure assets related to the water industry have been categorized as operators of vital importance. As a result, they are monitored closely by the French Network and Information Security Agency (ANSSI).
- The EU’s NIS Directive, first drafted in 2016 and transposed into local law by EU members in late 2018, provides a comprehensive toolkit for protecting national essential services, including water and wastewater.
Insights and Recommendations
- In seeking an entry point into the control system network, attackers may search for existing remote support connections and leverage external remote services as a point of initial access into the target network. TeamViewer has always been a target of interest for attackers due to its various exploitable vulnerabilities. If you choose to use TeamViewer or other remote-support software, you should be aware of – and actively mitigate – the inherit risks they introduce, in order to decrease the chances of being compromised (e.g. stricter user account management, limiting access to resources over the network and multi-factor authentication).
- OT network visibility and threat detection must be an integral part of any utility operator’s overall cyber security strategy, not just to achieve regulatory compliance but to ensure uninterrupted, secure service to its customers.
- Understanding and managing network risk should be front and center in any organization’s multi-year cybersecurity plan. The process involves mapping the threat imminence (in terms of attacker tactics and techniques) to each and every networked device, weighted against the damage (monetary or other) caused by an attack to the device’s business process. The resulting prioritized list of threats and mitigation measures enables industrial operators to optimize their cyber-security expenditure within their budgetary constraints.
- Employing an OT-dedicated managed security service provider (OT-MSSP) is an excellent option for organizations that do not, or cannot, operate a full-fledged in-house cyber-security operation (due to budgetary or manpower limitations).
Radiflow can assist utility operators to assess their cyber risks, and lay out a roadmap toward cybersecurity regulatory compliance and continuous cyber risk management.
The attack on an Oldsmar, Florida water treatment facility used the remote access software TeamViewer, used by facility employees to remotely control networked devices, as entry point into the network