UPDATED, Feb. 12, 2021: Hackers gained remote access to the Oldsmar, FL water plant's supervisory control and data acquisition (SCADA) system via the TeamViewer software, according to an advisory from authorities in Massachusetts. The SCADA system was connected throughout the water plant's computers, which were all using the same password for remote access.
The computers were running the outdated Windows 7 operating system, which "will become more susceptible to exploitation due to lack of security updates and the discovery of new vulnerabilities," the Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory Thursday. Microsoft discontinued support for the OS in January 2020.
The water plant's computers were also connected openly, without a firewall, to the internet, according to Massachusetts authorities.
CISA advises water and wastewater systems to install cyber-physical safety system controls, including gearing on valves and pressure switches. The controls protect smaller water plants with insufficient cybersecurity resources "from a worst-case scenario" for accessing systems.
Oldsmar representatives did not respond in time to Cybersecurity Dive's request for comment.
Dive Brief:
- The City of Oldsmar, FL, just outside of Tampa, was targeted by a cyberattack in its water treatment plant late last week, said Sheriff Bob Gualtieri in a Monday press conference. A criminal investigation with the FBI and Secret Service is underway.
- A plant operator noticed remote activity on the TeamViewer software around 8 a.m. Friday. The software allows for remote troubleshooting access, so the operator assumed the actions were by a supervisor, said Gualtieri. By the afternoon, the unauthorized actor began opening functions pertaining to water treatment and altered the amount of sodium hydroxide in the water from 100 parts per million (ppm) to 11,100 ppm. A plant operator watching the activity reverted the levels back immediately.
- "The public was never in danger," said Gualtieri, but the attack did raise alarms about the vulnerabilities of U.S. water systems and other infrastructure, AP reports.
Dive Insight:
The Oldsmar attack wasn't a sophisticated, undetectable hack as the operator followed the remote actor's mouse travel across the computer screen. Had an operator not been there to follow along the activity, the breach might have been missed — though the plant's safeguards likely would have detected the chemical altercation before it contaminated the water.
"This is somebody that is trying — as it appears on the surface — to do something bad. It's a bad actor," said Gualtieri. "This type of hacking of critical infrastructure is not necessarily limited to just water supply systems."
Most threats to operational technology and industrial control systems (ICS) are outdated software and limited patches. Vulnerable ICS can come with decades-old equipment. There are 151,000 public water systems across the U.S., most of which "lack the financial fortification of the corporate owners of nuclear power plants and electrical utilities," AP reports.
Over the years, the barrier between IT and OT was purposely fractured for ease of use, leading to malicious activity. Stuxnet was one of the first examples of malicious activity worming its way into an uranium enrichment facility in 2010. In 2013, foreign adversaries breached a dam outside New York City.
When cyberattacks escalate to the potential of bodily harm, it raises the question of how far can cyberthreats reach before it violates international laws.
"Someone tried to hurt (potentially kill) people through a cyberattack. That’s a big deal. All the other details are important to discuss and debate but we can’t lose the bigger picture," tweeted Dragos CEO Robert Lee.
Sodium hydroxide is the primary ingredient in liquid drain cleaners, according to Gualtieri. The additional amount of the substance would've taken between 24 and 36 hours before reaching the water supply and reaching safety redundancies and pH alarms.
Critical infrastructure in the energy, manufacturing, and water and wastewater industries are most at risk of exploitation, Claroty found. In H2 of 2020, the water and wastewater sectors accounted for 111 vulnerabilities found in The National Vulnerability Database (NVD) and in vulnerability advisories published by the Industrial Control System Cyber Emergency Response Team (ICS-CERT). In 2019, there were 72 disclosed vulnerabilities in the sector.
The Oldsmar treatment plant has since disabled the program and will "make some upgrades to other parts of the system" to prevent similar activity, said City Manager Al Braithwaite, during the press conference.