Detectives assigned to the Digital Forensics Unit at Pinellas County Sheriff’s Office are investigating an unlawful computer software intrusion at the City of Oldsmar’s water treatment plant. While the cyber attack was unsuccessful, it does highlight the need for cybersecurity tools in critical infrastructure applications.
On Friday, February 5, 2021, the Pinellas County Sheriff’s Office was notified by the City of Oldsmar that its computer system had been remotely accessed at 8:00am and 1:30pm by an unknown suspect. According to detectives, the City of Oldsmar’s computer system at the water treatment plant allows for remote access by authorised users to troubleshoot any system problems from other locations.
The initial intrusion was brief and not cause for concern due to supervisors regularly accessing the system remotely to monitor the system. At 1:30, a plant operator witnessed a second remote access user opening various functions in the system that control the amount of sodium hydroxide in the water. The operator noted the remote access user raised the levels of sodium hydroxide in the water from 100 parts per million to 11,100 parts per million. The operator immediately reduced the levels to their appropriate amount. Sodium hydroxide is used in small amounts to control acidity, but a large amount could have caused major problems in the water.
The initial investigation revealed that the hacker remotely accessed the treatment plant’s computer for approximately 3 to 5 minutes. Speaking at a press conference about the cyber attack, Sheriff Bob Gualtieri stated: “At no time was there a significant effect on the water being treated, and more importantly the public was never in danger.”
Commenting on the attack, Andrea Carcano, co-founder at Nozomi Networks stated: “Unfortunately, this attack plays into a troubling trend we’ve been following over the last year. As the pandemic forced critical infrastructure organisations to quickly shift to remote access options to keep systems up and running, we’ve seen threats rise and bad actors reach new lows – setting their sights on life threatening targets. Fortunately, in this case, operators monitoring Oldsmar’s treatment plant spotted the attack and were able to respond before anyone could be harmed. But it’s a stark reminder that with limited cybersecurity resources and few regulations water utilities are vulnerable to attack. When it comes critical infrastructure, operational resilience must a top priority and advances in AI-powered OT security and network monitoring are available to give operators the network visibility they need to quickly spot trouble and respond before harm is done.”
“This targeted attack appears to have started by the ‘bad actor’ getting access to a vulnerable network/system and working their way through the network trying to find the next weak access point while gathering data and understanding how the organisation operates along the way,” added Niamh Muldoon, Global Data Protection Officer at OneLogin. “In this instance, understanding the information assets, applying not only MFA but enhanced multi-factor authentication, would have reduced the risk of this unauthorised attack materializing. It’s a critical part of the MFA policy to enforce time limits for end-users and their trusted devices to re-authenticate, requiring them not only to validate themselves but also the identity of the device trying to access critical systems/applications and the network. Without knowing more of the details, applying enhanced MFA to the execution of critical actions particularly for IT and systems administrators would have reduced the associated risk further. Having logging in place, and understanding logged events would support with the associated monitoring and alerting events. After the event has happened, crisis management is critical for successfully managing the attack response to reduce business impact and consequences, and it appears the Florida agency has done that.”
“While this incident will rightfully cause concern, it appears that likelihood of real damage was minimal due to the fail safes in place,” observes Tim Erlin, VP at Tripwire. “There are real impacts to be worried about, and actions to be taken, but this doesn’t appear to be a sophisticated or novel attack. From a cybersecurity standpoint, we should be particularly concerned about how the attacker was able to authenticate into the remote access software. That entry point should be very well protected, given that it provides access to such obviously sensitive capabilities. Protecting remote access into industrial systems where these types of changes can be made should be a high priority for any industrial environment.”
Local, State, and Federal investigators are working together to identify those responsible and the investigation is ongoing. Other utility providers have been informed of the intrusion, so they can take their own protective measures.