When the sheriff of Oldsmar, Fla., held a press conference to discuss a hack into the city’s water treatment facility, many cybersecurity experts were surprised – not by the hack, but by the publicity.
When the sheriff of Oldsmar, Fla., held a press conference to discuss a Feb. 5 hack into the water treatment facility that could have poisoned the city’s water supply, many cybersecurity experts stood up and took notice.
The intruder seemed to have breached the plant’s industrial controls via a remote desktop monitoring application and may have taken advantage other cybersecurity weaknesses, such as lax password security and use of an unsupported operating system. That access was used to change chemical controls to dump lye into the city’s drinking water.
On Feb. 11, the Cybersecurity and Infrastructure Security Agency, the FBI, the Environmental Protection Agency and the Multi-State Information Sharing and Analysis Center issued a joint advisory outlining how cyber criminals can gain unauthorized access to systems by exploiting desktop-sharing software and end-of-life operating systems, particularly Windows 7, and making recommendations for defending water and wastewater systems.
Despite the government response, the fact that the hack made headlines at all was itself newsworthy. security expert and blogger Brian Krebs said.
According to Krebs’ Feb. 10 KrebsOnSecurity blog, online forums are full of posts from security researchers describing how they accessed industrial control systems through vulnerabilities in human-machine interfaces.
Hackers see smaller municipal utilities as attractive targets. They must focus on keeping customer-facing systems running. Tight budgets often leave their IT departments understaffed, which means they likely rely on remote access for monitoring or administering control systems. Combining insufficient IT resources with frequently unattended facilities and the relative ease of finding internet-connected systems through websites like Shodan makes such facilities ripe for attack.
“Why aren’t there more incidents like the one in Oldsmar making the news?” Krebs asked. “One reason may be that these facilities don’t have to disclose such events when they do happen.”
According to Krebs, only one federal law applies to the cybersecurity of U.S. water treatment facilities. The America’s Water Infrastructure Act of 2018 requires water systems serving more than 3,300 people to conduct risk assessments and make emergency response plans, but “nothing in the law requires such facilities to report cybersecurity incidents, such as the one that happened in Oldsmar this past weekend,” he said.
One large water plant fell victim to the Egregor ransomware, but the incident was handled in-house, Andrew Hildick-Smith, a consultant who served nearly 20 years managing remote access systems for the Massachusetts Water Resources Authority, told Krebs: “They made contact with the Water ISAC and the FBI, but it certainly didn’t become a press event, and any lessons they learned haven’t been able to be shared with folks.”
Fortunately, most attacks on water-treatment plants have not yet threatened public safety, but rather are financially motivated. In several cases, Hildick-Smith said, incursions into control systems were “by chance.” Hackers used the control systems as “a computer of convenience” to set up financial transactions or as a vector for ransomware attacks on the business side of the utility.
Even if a breach causes no damage, though, “some utilities are afraid that if their vulnerabilities are shared the hackers will have some inside knowledge on how to hack them,” said Michael Arceneaux, managing director of the Water ISAC, an industry group that tries to facilitate information sharing and the adoption of best practices among utilities in the water sector. “Utilities are rather hesitant to put that information in a public domain or have it in a database that could become public.”
“The only reason we knew about this incident in Florida was that the sheriff decided to hold a news conference,” Joe Weiss, managing partner at Applied Control Solutions, a consultancy for the control systems industry, told Krebs. “The FBI, Department of Homeland Security, none of them want to talk about this stuff publicly. Information sharing is broken.”
NEXT STORY: 5 tech trends for 2021