Florida Water Facility Attack: A Giant, Flashing Call to Action for Utility Providers

On February 5th, 2021, a water treatment facility in Oldsmar, Florida got hacked. The attacker tried to poison the water supplied to almost 15,000 residents downstream by increasing the amount of sodium hydroxide – lye – from 100 to 11,100 parts per million.  Luckily, the alert operator noticed the increase almost instantly and reversed it, preventing a potentially devastating event.  However, this incident underscores the need for effective cybersecurity of our critical infrastructure.

A recap of the attack

The attacker managed to get access to the system via TeamViewer, a software application that facilitates users to remotely control another device.  Oldsmar’s water facility hasn’t used the application in the last six months, yet the hackers were able to use it to gain access to the computer that contains a program for managing the chemical content of the underground water reservoir.

The county, in coordination with the FBI and US Secret Service, has launched an investigation and a forensic analysis of the attack.  The attacker has not yet been identified.

The attack – shocking but not surprising

As Chris Krebs, the former director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, pointed out, “Monday’s revelation that a bad actor appeared to remotely access and change the chemistry at a Florida water treatment facility is one more reminder of just how dire the nation’s cybersecurity challenge is.  Unfortunately, that water treatment facility is the rule rather than the exception.”

Oldsmar’s water treatment facility is one of over 148,000 public water systems in the country.  There is no unified cybersecurity system or protocol in place, leaving it up to each local government or private entity to manage the best they can.

A study by Siemens and the Ponemon Institute found that 56% of utility providers experienced at least one shutdown or operational data loss per year.  A quarter of them got impacted by mega attacks.  Such attacks are often launched by nation-state actors.

The reality is that utility providers present a prime opportunity for attackers to cause large-scale damage.  For example, in the fall of 2019, when California was battling wildfires, utility companies in Northern California made the decision to shut down their services, fearing the catastrophic consequences of their legacy equipment catching fire.  This ended up costing California an estimated $2.5 billion.  This is the scale of damage a cyberattacker can achieve with a successful breach.

The COVID-19 pandemic has only intensified the volume of cyberattacks.  The number of machines running remote desktop protocols increased by 40%.  In the meantime, email scams surged by more than 600%.  90% of coronavirus domains are scams.  There are dozens of other statistical examples of both the surge in cybercrime and the larger attack surface presented by public and private companies.

Lessons you must learn from the Florida water facility attack

The Florida water facility attack is just the latest in a long stream of reminders that cybersecurity goes beyond securing access to data, but also protecting the physical health and safety of people.  While, ideally, you, as a utility provider, should switch to SASE and a zero-trust-based infrastructure, these are the five steps you must take immediately:

  1. Educate your staff on responsible digital behavior.  Given the fact that 95% of successful security attacks are the result of human error, you must make employee cybersecurity training one of your top priorities.
  2. Audit your network and upgrade legacy systems.  Whether it’s an outdated operating system that is still being used on just a single computer or an anti-malware piece of software that hasn’t been updated to the latest version that contains security patches, you have to inspect every last piece of the network for potential entry points and replace those that pose a threat.  Remember to extend your audit beyond your information technology and be just as diligent when it comes to operational technology (OT), given that 30% of cyberattacks on OT systems go undetected.
  3. Don’t assume that a system that operates in isolation from the internet can’t be penetrated and take steps to protect it.  As the Stuxnet attack on Iran’s nuclear facilities has proved, hackers can jump the gap and escape the digital environment, causing physical damages to an isolated system.
  4. Automate threat detection and response. The operator who noticed the increase in the level of sodium hydroxide in the Oldsmar case is hailed as a hero and deservingly so. However, it is perilous to rely on human abilities to detect and prevent threats, given the increasingly complex nature of IT networks. You have to have a robust monitoring and risk assessment system in place that will collect and review IT and OT logs, notify of threats, and automatically deploy measures to minimize the risk.
  5. Implement multi-factor authentication and strict access controls. Since many attacks successfully breach the perimeter using social engineering tactics, vigilantly implement a multi-factor authentication system. This will add another layer of security to your network. Furthermore, audit your access management system and ensure that it strictly limits access to the system on a minimum-access-required basis.