This post is also available in: heעברית (Hebrew)

On February 5, hackers broke into the computer system of a facility that treats water for about 15,000 people in Oldsmar, Florida, managing to briefly alter the chemical levels in the drinking water.

Cyber resilience of critical national infrastructure is only as strong as the weakest part. In the recent case, the hackers reportedly gained access to the plant’s systems through a weakly protected software application called TeamViewer, a tool used by a large number of organisations to manage remote access to IT systems. In this case, the plant had actually stopped using TeamViewer six months ago, but left it installed. 

After remotely accessing the plant’s systems, the attacker was able to manipulate a control panel and significantly increase the levels of sodium hydroxide – also known as lye or caustic soda, an industrial cleaning agent – that were being distributed into the water supply. Luckily, a plant operator observed the attacker remotely access his computer – including the mouse moving on the screen and making changes – and was able to reverse the commands. It is also possible that other safeguards would have alerted staff or may have prevented chemical changes from reaching dangerous levels.

While it is perhaps inevitable that state actors with enough time and resources will be able to disrupt US critical national infrastructure, the inability to prevent more basic attacks from insiders, ransomware groups and hacktivists act as a warning that this will be a persistent threat. 

Supervisory Control And Data Acquisition (SCADA) systems are computer control systems designed for the monitoring, control and data gathering in the industry, infrastructures and installation fields. More intense SCADA practices are now required for cyber securing critical installations such as water systems.

According to rusi.org, endemic problems in the US water sector prevent a ‘quick fix’ for such incidents. First, the sheer scale of the US water sector. Identifying the delineation of responsibilities or even accomplishing clear stakeholder mapping represents a serious problem. With such a vast landscape and small IT budgets, cyber risk management is inevitably stretched, requiring clear and well-defined guidance for operators.

One of the challenges of implementing regulation is their resource-intensive nature. A shortage of qualified personnel at such establishments is a key issue, as usually there are only one or two people working in IT at each water plant. Any implementation of new, tighter regulation would therefore require a significant increase in spending on cyber security. Yet even basic minimum standards that require operators to decommission or remove technology when it is no longer used would have prevented the incident at Oldsmar.

Intelligent regulation would need to keep up with the times too. The coronavirus pandemic may have increased remote working in the water sector according to a Bluefield Research paper. To operate, the US water sector still needs over 1 million people on-site, but with managers, supervisors, engineers, architects, and select asset operators all working either fully or partially from different locations, remote access remains vital for the resiliency of the system. A renewed emphasis on cyber security is required.

Watch the panel discussion on OT, IoT & SCADA at the INNOTECH 2020 Conference on Cyber Innovation and Homeland Security, organized by iHLS: