Unsecure remote access technology allowed a nefarious hacker access to the water of 15,000 residents.
In another case of cyber convenience gone wrong, a water treatment plant in Oldsmar, Florida was hacked. At around 8am on Friday, February 12, a plant employee noticed that his computer was being controlled remotely. The employee wasn’t alarmed. Remote access is a common strategy the plant uses to troubleshoot IT issues.
When the curser moved again at 1:30, what the plant operator observed was anything but innocuous. Whoever was controlling the system remotely this time, spent the 3-to-5 minutes they were inside the system changing the levels of sodium hydroxide—commonly known as lye—from a safe 100 parts per million to a dangerous 11,100 parts per million. The employee quickly fixed the change. City officials reassured the 15,000 residents and businesses on the water line that even if the change hadn’t been caught by the operator, other checks and balances in place would have prevented the dangerous water from reaching the tap.
Related: Secure Access Awareness
Still, such a nefarious act is cause for alarm. The Sherriff’s office began investigating that evening. There is no indication yet as to whether the hacker was local to Florida or even the United States. The hacker is likely to face felony charges and may possibly face federal charges as well.
Senator Marco Rubio tweeted on Monday a request that the FBI “…provide all assistance necessary in investigating an attempt to poison the water supply of a Florida city,” before adding, “This should be treated as a matter of national security.”
The hack itself was unsophisticated in nature, and there is currently no evidence that the attack was attempted across any other municipalities. However, it exemplifies a big-picture problem that has concerned cyber security experts for years: internet accessible operational technology (OT). That concern has now become an actual systemic vulnerability.
Whether it was ignorance or a lack of concern that led to the vulnerabilities that enabled the hack, the water treatment plant is in good company. Despite the warnings, remote access is on the rise; not decline. Budget cuts and COVID-19 have forced IT departments into a corner. City services must continue to run, but now with less money and less access. Still, certain safeguards can and should be insisted on.
The compromised piece of third-party software that allowed the remote hack is a bane of cyber security experts so much so that has become somewhat of a meme in certain cyber security circles. TeamViewer, which boasts 200 million users worldwide, is simple and effective. It allows easy connectivity between two computers through remote access. While layperson-friendly, say, for homework help between family members, TeamViewer skips past several critical security steps.
Instead, experts advise that industrial control systems (ICS) cut its ties with TeamViewer for more secure protocols. Ideally, ICS’s should set up a secure VPN to its internal networks and enact a mandatory multi-factor authentication policy. Once inside, a final security protocol should be followed before any changes are allowed to be made to the system.
Whether these safety basics were overlooked intentionally or unintentionally, whether for reasons of budget cuts, ease of use, or lack of education, The Oldsmar, Florida hack is a cautionary tale. Municipal systems need more support. This investigation is ongoing.
Read More: Incident Of The Week