What Does the Florida Water Supply Incident Tell Us About ICS/OT security?
It’s the making of a horror film: a cyberattack that tampers with the water supply of a city and poisons the residents. It nearly happened in the real world.
In 2021, a hacker managed to increase the level of sodium hydroxide in the water supply of Oldsmar, FL. The horror show stopped quickly, thankfully, as an employee at the water company noticed the change in supply levels and quickly reset it back to normal.
The incident was frightening and, with a bit of luck, the public was saved from being put in true danger. This story does, however, offer a few cybersecurity lessons – including the importance of patching.
Let’s Recap What Happened
Wired magazine published a full account of the incident, but we’ll summarize how it happened. On Friday, February 5th, 2021, there was an attempt to poison the water supply of the city of Oldsmar. It began when a hacker gained access to the industrial control system (ICS) at a water treatment plant.
The hacker accessed the ICS by gaining entry to the TeamViewer software used by the facility to give employees remote control over the control systems. At one point during their shift, one of the employees noticed the mouse cursor moving on TeamViewer.
A few hours later, the employee noticed the mouse cursor moving again – this time with the cursor clicking through the facility’s water controls, where the hacker proceeded to lift the level of sodium hydroxide from 100 ppm to 11,100 ppm – a toxic level. Thankfully, the change was noticed in time and the team member reversed it almost immediately.
But how did the hacker get access to TeamViewer? Well, ever heard the advice about not sharing passwords and regularly changing passwords? Apparently, the tech team at the water treatment facility had never heard that advice (or ignored it).
ICS/OT Is Now Exposed
Let’s take a step back. Not that long ago, ICS and operational technology (OT) were – generally speaking – completely disconnected from the outside world. Any adjustment and control would be made on site by employees working with systems that are, for all intents and purposes, isolated from the internet.
For attacks to succeed, it generally required physically getting inside the facility. So, a disgruntled employee, an employee planted there with the intent of executing an attack, or a physical breach of the facility would be how an attacker gained access.
This is no longer the case as OT and IT increasingly converge, and as OT increasingly needs internet connectivity to function (think about industrial IoT, for example). The attack on the water treatment facility illustrates how easily ICS/OT can be exposed to the outside world.
Ignoring Commonly Known Advice
With these systems now more connected to the outside world, older assumptions about which security measures should be taken around ICS/OT are no longer valid and that organizations that work with OT need to step up their game and, at the very least, follow common best practices.
And here’s the rub: time and time again, it’s the same old advice that would have saved the day, but never did because the advice was never implemented. Despite all the knowledge, education, and reports of successful attacks, it comes down to the same old story almost every time.
Whether it’s password hygiene, carefully managing roles and privileges, or maintaining a perimeter, established best practices are commonly ignored – giving threat actors a way in. The threat to critical infrastructure is ongoing. Operators of ICS and OT cannot afford to pretend that outdated notions of security requirements are still valid and cannot afford to ignore standard advice.
This Time It Wasn’t Patching, But It Could Have Been
Rapid, consistent patching is one of the sensible cybersecurity good practice rules that is regularly ignored; just the same as ignoring simple instructions on good password practices. To be fair, with patching, it’s a bit more complicated: a lack of resources and the need to schedule maintenance windows to take systems offline can get in the way of patching.
But patching must be done, and it needs to be done consistently. Thankfully, the patching game has changed dramatically thanks to live patching – which is now also available for ICS, OT, and IIoT.
The incident in Florida teaches us a simple lesson. There is great danger in ignoring simple cybersecurity principles. In this instance, the danger was narrowly avoided. That won’t always be the case. Patching is one of the most commonly ignored cybersecurity principles – and also the leading cause of successful breaches.
So, patch – and patch now. Struggling to patch? Explore how live, automated patching can help.