Holders of critical national infrastructure (CNI), such as utilities and telecommunications, have received a timely warning of how crucial it is to secure their systems, after a keen-eyed technician in a Florida town narrowly averted a major public health incident caused by a cyber attacker.
In the attack – reminiscent of a scenario in the 2005 movie Batman Begins, in which the antagonist plots to destroy Gotham City by releasing hallucinogenic drugs via its water supply – an unknown actor attempted to increase the amount of the chemical sodium hydroxide, or lye, in the water treatment system in the town of Oldsmar, near Tampa, on the US state’s west coast.
Lye is a highly corrosive alkaline with legitimate uses in water treatment, as well as cleaning products and food preservation, but is also highly dangerous to humans, causing chemical burns and blindness, and is potentially fatal if ingested. It has famously been used by many serial killers to dissolve the remains of their victims.
In the Florida attack, a computer controlling the system was accessed remotely on Friday 5 February 2021. This was spotted at the time but, according to local media, the plant operator thought it was his supervisor. A second attempt later that day saw the attacker access the system software to increase the lye content in the town’s water from 100 parts per million to more than 11,000. This was again spotted and reversed with no ill-effects.
Local sheriff Bob Gualtieri told reporters that at no time was there an adverse affect on the water supply and nobody had been in immediate danger. He added that even if missed, it would have taken some time for the tainted water to reach consumers.
Oldsmar mayor Eric Seidel added: “The protocols that we have in place, monitoring protocols, they work – that’s the good news. Even had they not caught them, there are redundancies in the system that would have caught the change in the pH level.
“The important thing is to put everyone on notice. There’s a bad actor out there.”
Only a matter of time
From a cyber criminal or nation state advanced persistent threat (APT) perspective, a successful attack on a CNI owner would be a real coup de grâce – but from a defender’s point of view, it is close to a doomsday scenario, and in the light of this, the thwarted Florida cyber attack should cause alarm bells to ring for many.
Stuart Reed, UK director of Orange Cyberdefense, said this is precisely the kind of assault that cyber security experts have long feared. “It is frightening to think what might have happened if it was not for the vigilance of one of the plant’s operators,” he said.
“The incident in Florida will go down as yet another near miss, but it is clear that CNI will remain a key target for hackers – inaction can no longer be tolerated.”
Tom Garrubba, CISO at Shared Assessments, a US-based risk management partnership, added: “With so much emphasis recently placed on hacks for the healthcare and financial services industry, an infrastructure hack such as this tends to hit much closer to home as it regards our physical safety.
“As this is the case, it is critical to consistently review and monitor such critical administrative accounts that control such systems. Alarms and logs for critical infrastructure systems should be reviewed and attended to constantly, and if such a hack or changes in set tolerances were to occur, a root cause analysis is imperative to mitigate such an event from happening in the future.”
Gurucul CEO Saryu Nayyar said: “The cyber attack against the water supply in Oldsmar, Florida, last week should come as a wake-up call. Cyber security professionals have been talking about infrastructure vulnerabilities for years, detailing the potential for attacks like this, and this is a near perfect example of what we have been warning about.
“Though this attack was not successful, there is little doubt that a skilled attacker could execute a similar infrastructure attack with more destructive results. Organisations tasked with operating and protecting critical public infrastructure must assume the worst and take more serious measures to protect their environments.”
Covid-19 adds new strain
The events of the past 12 months have highlighted the importance of critical infrastructure to the smooth functioning of daily life. Indeed, the UK government has made the security of such services a national priority in 2021.
Andrea Carcano, co-founder of Nozomi Networks, said: “Unfortunately, this attack plays into a troubling trend we’ve been following over the last year. As the pandemic forced critical infrastructure organisations to quickly shift to remote access options to keep systems up and running , we have seen threats rise and bad actors reach new lows – setting their sights on life-threatening targets.”
Reed added: “Covid-19 has already placed enormous strain on UK infrastructure. As the government and NHS wrestle with the pandemic, it is hard to imagine how the country could cope at this time if there was any major disruption to the supply of electricity or water.
“Nonetheless, key facilities worldwide are constantly being probed for weaknesses, and there are still significant concerns about the readiness of CNI to weather increasingly sophisticated cyber attacks, with many facilities believed to run on out-of-date and vulnerable IT systems.
“Thwarting cyber attacks against key utilities and services has never been more critical and the severe consequences of failing to do so are only exacerbated by the unprecedented events of the past year.”
How to approach security
Reed said organisations responsible for CNI needed to take a layered approach to security, ensuring they had the best and most up-to-date tools and services in place, supplemented by investment in people, processes and training. Only this, he said, would provide the right combination of safeguards to ensure that public health and safety is not – as it was the case in the Oldsmar incident – solely dependent on one person looking at the right computer screen at the right moment.
Nozomi’s Carcano added: “When it comes to critical infrastructure, operational resilience must be a top priority and advances in AI-powered OT security and network monitoring are available to give operators the network visibility they need to quickly spot trouble and respond before harm is done.”
OneLogin global data protection officer Niamh Muldoon advised CNI operators to pay close attention to access controls.
“This targeted attack appears to have started by the bad actor getting access to a vulnerable network/system and working their way through the network trying to find the next weak access point while gathering data and understanding how the organisation operates along the way,” she said. “In this instance, understanding the information assets, applying not only multifactor authentication [MFA] but enhanced multifactor authentication, would have reduced the risk of this unauthorised attack materialising.
“It is a critical part of the MFA policy to enforce time limits for end-users and their trusted devices to re-authenticate, requiring them not only to validate themselves, but also the identity of the device trying to access critical systems/applications and the network.”
Muldoon added: “Without knowing more of the details, applying enhanced MFA to the execution of critical actions, particularly for IT and systems administrators, would have reduced the associated risk further. Having logging in place, and understanding logged events, would support the associated monitoring and alerting events.”
“Scada networks are relied upon to manage critical infrastructure across the globe, but they are predominantly reliant on older, legacy systems that were not designed to be integrated or connected to the internet,” he said. “Pre-digital design was based on ‘air-gapping’ the critical components, but it has become more and more obvious to malicious actors that those gaps present unprotected points of entry for malicious software.
“Nation state security services are aware of these vulnerabilities and I would expect the authorities involved to provide a solution to the citizens of Florida currently affected by this incident.”