The New York Times Headline: “Dangerous Stuff” as Oldsmar Becomes International Story. Oldsmar, Florida became an international story with news that one or more hackers had remotely accessed its water treatment plant and briefly changed the levels of lye in the drinking water by a factor of 100. The New York Times article quotes Pinellas County Sheriff Bob Gualtieri saying: “This is dangerous stuff. It’s a bad act. It’s a bad actor. It’s not just a little chlorine, or a little fluoride — you’re basically talking about lye.” Mr. Gualtieri urged managers of critical infrastructure systems, particularly in the Tampa area, to review and tighten their computer systems. Fortunately, the attempt was recognized by operators and stopped, but the potential harm remains chilling. The attack on a municipal water system is such an egregious act, that I’m devoting this week’s entire Security Roundup to the event, with a look at how it might have been prevented.
India Times Notes Previous Hacks on U.S. Industrial Control Systems. In a sign of what an international story this was, the India Times reported on the attack on Oldsmar. Although the attacker on Oldsmar remains a mystery, the India Times referenced other attacks on U.S. infrastructure, writing: “Russian state-backed hackers have in recent years penetrated some U.S. industrial control systems, including the power grid and manufacturing plants while Iranian hackers were caught seizing control of a suburban New York dam in 2013. In no case was damage inflicted but officials say they believe the foreign adversaries have planted software boobytraps that could be activated in an armed conflict.”
“Water Utility Hack Could Inspire More Intruders.” That’s the headline for Oldsmar coverage from Dark Reading, which captures a widely held fear throughout the security community. The article says: “If past cyberattacks are any indication, success begets imitation. In the wake of last week’s hack of Florida water utility, other water utilities and users of remote desktop software would be wise to shore up defenses, experts say.” Dark Reading notes that the attack on the Oldsmar water treatment system lacked technical sophistication, showed no insider knowledge of the system, and had all the hallmarks of a hacker joyride through a critical system. But it quotes Padraic O’Reilly, co-founder and chief of product for CyberSaint, an IT risk management firm, as saying: “We don’t care whether it is a joy ride or not because now people know it’s possible. It does not matter whether it’s a nation-state, because that is just guessing at this point. But what you are signaling to bad actors is that this is possible and maybe too easy to do.”
“Sobering Takeaways” from the Oldsmar attack. Cybersecurity guru Brian Krebs, writing in his Krebs on Security, compliments Pinellas County Sheriff Bob Gualtieri for holding “a remarkably clear-headed and fact-filled news conference about an attempt to poison the water supply of Oldsmar.” Krebs provides what he calls “sobering takeaways” from the attack:
- There are approximately 54,000 distinct drinking water systems in the United States.
- The vast majority of those systems serve fewer than 50,000 residents, with many serving just a few hundred or thousand.
- Virtually all of them rely on some type of remote access to monitor and/or administer these facilities.
- Many of these facilities are unattended, underfunded, and do not have someone watching the IT operations 24/7.
- Many facilities have not separated operational technology (the bits that control the switches and levers) from safety systems that might detect and alert on intrusions or potentially dangerous changes.
A Plea: Please Pay Attention to Security. My frequent refrain in this column to please pay attention to security. Too often, the breaches reported in my weekly Security Roundup can be traced to inadequate security precautions. This appears to have been the case with the Oldsmar breach. The Hacker News headline tells the story: “Poor Password Security Led to Recent Water Treatment Facility Hack.” The Hacker News reports that the unidentified cyber actors accessed the supervisory control and data acquisition (SCADA) system via TeamViewer software installed on one of the plant’s several computers that were connected to the control system. The article notes: “Not only were these computers running 32-bit versions of the Windows 7 operating system, but the machines also shared the same password for remote access and are said to have been exposed directly to the Internet without any firewall protection installed.” In addition to Microsoft Windows 7 having reached end-of-life as of January 14, 2020, the idea of shared passwords and the absence of a firewall represents ripe targets for hackers. With many small public utilities have aging infrastructure and tight budgets, they would do well to engage with a Managed Security Provider to tap into the expertise needed to protect these critical public resources.
Clinton A. Pownall is the President & CEO of Computer Business Consultants and has been in the IT field since 1990. Pownall served in the U.S. Navy for six years as a Weapons Systems Technician and has a Bachelor of Science in Computer Engineering. Through Computer Business, he was one of the first to pioneer VoIP technology using satellite communications. Pownall serves on several boards and committees and has a strong affiliation with various education groups, local school districts, and served in regional efforts of the Bill & Melinda Gates NextGen Foundation. He serves as a Vice President of the Board of Director for the Orlando Shakes Theater and is heavily involved in the South Lake Chamber of Commerce, West Orange Chamber of Commerce, and the Orlando Economic Partnership.