The Oldsmar Water Treatment Facility in Pinellas County Florida was compromised by hackers on February 5th. Hackers took advantage of the TeamViewer application that was still installed on the water facilities network to gain remote access1. The TeamViewer was originally installed to allow for status checks and troubleshooting of alarms or other issues, but it had not been used in around six months1. Additionally, each computer used to monitor the system remotely had a single password.
The attackers successfully gained access to the system were able to modify the concentration of water treatment chemicals and increased the amount of sodium hydroxide (lye) by a factor of 1002. This much higher concentration had the potential to cause illness to the public and lead to significant corrosion and piping damage2. Fortunately, the operator saw the mouse moving across the screen and was able to reset the sodium hydroxide to the proper level3.
This is not the first time that a Water system has been infiltrated by attackers. First back in 2000 the Maroochy Shire wastewater treatment facility was compromised resulting in a total of 750,000 gallons of raw sewage being spilled4. With the most severe single incident leading to the pollution of the Maroochy river with 264,000 gallons of raw sewage and causing “significant harm” to the environment4. In 2016, another attack led to the successful modification of chemical flows for the Kemuri Water Company (pseudonym used for the incident as the utility was not announced) by a group of politically motivated hackers with ties to Syria5.
Although these incidents have demonstrated the susceptibility of water systems and other critical infrastructure to cybersecurity attacks, many Industrial Automation and Control System (IACS) still lack essential cybersecurity functions. The need for cybersecurity protection of critical infrastructure has become more pronounced as the cybersecurity exposure continues to rise. A 2019 study found that 70% of all IACS now require some type of remote access6. If authorized users can legitimately establish access remotely, there exists a potential for threat agents to as well.
The exposure of remote access becomes even more serious. As was discussed in our previous blog on remote access , the increase in the use of remote access during the COVID-19 pandemic, the prevalence of legacy Windows systems in IACS applications, and the weak or often unconfigured security features in remote access application are all factors that increase the cybersecurity exposure. For the Oldsmar Water Treatment Facility there were a number of factors that led to the increased exposure:
- TeamViewer Remote Access Application that was not being used
- Single reused password for remote access to all computers
- No network segmentation for remote access computers
- Legacy Windows Systems
There are a number of easy to take steps that are critical for all water systems and other IACS to take to ensure they are adequately protected such as:
- Reviewing hardware and software asset inventory
- Cybersecurity hygiene training and policies
- Using VPNs and multi-factor authentication for remote access,
- Reviewing of network segmentation.
Although implementing cybersecurity protections can seem daunting, conducting an IACS cybersecurity gap assessment can provide a clear picture of the current cybersecurity exposure based on the network architecture, system vulnerabilities, and personnel security to identify prioritized and actionable recommendations for improving cybersecurity. The Florida Water Hack is just one more example of how important these steps are to prevent cybersecurity attack on critical infrastructure from leading to potential harm to the general public.
For more information on the Florida water system attack and practical steps that can be taken to improve the cybersecurity of water systems and other critical infrastructure please join us for our upcoming webinar.
1. Brian Fung and Alex Marquardt, Hacked Florida water plant reused passwords and had aging Windows Installation, CNN, 2021
2. Jaclyn Peiser, A Hacker broke into a Florida town’s water supply and tried to poison it with lye, Washington Post, 2021
3. Eric Levenson, Florida water hack highlights risks of remote access work without proper security, CNN, 2021
4. N. Sayfan and S. Madnick, Cybersafety Analysis of the Maroochy Shire Sewage Spill, Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity, 2017
Kemuri Water Hack 2016: https://www.theregister.com/2016/03/24/water_utility_hacked/
5. John Leyden, Water treatment plant hacked, chemical mix changed for tap supplies, The Register, 2016
6. Year in Review: The ICS Landscape and Threat Activity Groups, Dragos, 2019