Last month, the cybersecurity world gasped as an unauthorized actor gained access to the computer system of a water treatment facility in a small Florida city and attempted to increase the levels of a chemical that could have made the water poisonous.
As details unfolded throughout the next few days, it became clear that there were not adequate cybersecurity measures in place at the water treatment plant in Oldsmar, Fla.
Especially for systems tasked with maintaining our critical infrastructure like water and energy, only the most secure solutions and practices should be applied.
What happened and what went wrong
According to a joint advisory of the FBI, Cybersecurity and Infrastructure Agency, Environment Protection Agency and the Multi-State Information Sharing and Analysis Center, unidentified cyber actors accessed the supervisory and control data acquisition (SCADA) system of the water treatment facility with the intent on increasing the amount of sodium hydroxide in the water.
Also known as lye, the compound can be extremely harmful to humans as it is corrosive and can cause chemical burns and other health issues if ingested.
Luckily, a plant operator noticed the changes and corrected the issue before the system detected the changes.
“The cyber actors likely accessed the system by exploiting cybersecurity weaknesses, including poor password security, and an outdated operating system,” the advisory states.
Media reports suggest that plant operators were using popular remote access software TeamViewer for remote access, and all operators used the same password.
Further, components of the water treatment facility were running on Windows 7, which Microsoft stopped supporting around this time last year.
Why critical infrastructure like water systems must be secure
Cybercriminals – and even terrorists – could target resources like water because it could impact a large amount of people. If the malicious actor was successful and the city’s drinking water was effectively poisoned, that impacts 14,000 people based on just one simple intrusion.
According to Damon Small, a cybersecurity expert at consulting firm NCC Group, critical infrastructure like water represents a huge target for cyber actors because of that potential for widespread disruption and impact if one system is compromised.
“Not all areas of the world have access to fresh, clean water,” says Damon Small, a cybersecurity expert at consulting firm NCC Group. “So we’re very fortunate to have that. And if you interrupt access to that, or make it poisonous, bad things can happen. It’s an easy way for a terrorist to inflict maximum impact upon a population of people.”
According to the U.S. Department of Homeland Security, water is one of 16 critical infrastructure sectors defined as such under a presidential policy.
Other sectors include:
- Commercial facilities
- Defense Industrial base
- Emergency Services
- Financial services
- Food and agriculture
- Government facilities
- Healthcare and public health
- Information technology
- Nuclear reactors, materials and waste
- Transportation systems
“So, it’s important enough for the Department of Homeland Security in the United States to be concerned about it,” Small says. “So, we definitely recognize these are interesting targets for the adversary.”
How to better secure remote access systems
While remote access software like TeamViewer helps reduce staffing requirements and keeps costs down, the software itself is a big target for hackers because they can “wreak havoc” on victim networks if they are able to compromise just one piece of software, says Small.
“I’ve had other people asking me, ‘Why would we even allow a municipality to use remote access software anyway? Surely it’s too dangerous, right?’ Well, as it turns out, these are business decisions that are made,” Small says.
According to Small, cybersecurity has to be applied in a way that doesn’t disrupt the business, organization or end user.
“There are no security decisions – there are only business decisions,” Small says.
In the case of the Oldsmar water treatment plant, having on-site support around the clock would be prohibitively expensive. Providing for remote access helps keep costs down, but basic cybersecurity practices and principles always have to be applied.
Remote access systems can be made more secure by:
- Practicing good password security
- Using multi-factor authentication
- Accessing the remote access software through a VPN
“I’m not going to demonize remote access – there are very valid business reasons for using remote access,” Small says. “But there are ways that it can be done to ensure the safety of the information assets you’re trying to protect.”
Cybersecurity as an applied science
A good portion of those critical infrastructure sectors defined by the U.S. Department of Homeland Security are operated by the public sector, but due to budget constraints and other factors, these publicly operated systems run the risk of exposing themselves to cyber vulnerabilities.
To better secure those critical systems, those sectors must think of cybersecurity as an applied science.
According to Small, these are the questions organizations need to ask themselves:
- If an information asset becomes unavailable, how much is that going to cost me?
- How much is that going to impede the ability to perform the core competence of my organization?
- How long can we go without a computer system before it starts impacting the core business?
Although there is no universal formula for calculating the cost of a cyber incident, the cost to implement secure systems that can better protect critical infrastructure will be far less than the cost of mitigating any compromise due to a lapse in security.
To better apply cybersecurity and make the world a more secure place, organizations must consider information security technology in the context of the organization.
“Computer scientists have to learn the language of the business,” Small says. “We need to speak their language – not the other way around.”