There’s an old saying in the American West: “Whiskey is for drinking; water is for fighting.” Back in March, Red Sky Alliance presented facts surrounding the Oldsmar, Florida water treatment cyber-attack. Well, this critical infrastructure in the US remains a target to cyber-criminals.
The idea that access to water, especially the clean, drinkable kind, is something that is worth fighting for is nothing new. But cyber security was never a real factor in water safety. Recent incidents have exposed the vulnerability of US water and wastewater systems to attacks by cyber criminals.
In February, an unknown hacker or group of hackers was able to gain access to the operations technology (OT) system of a water treatment plant in Oldsmar. The attack attempted to poison the water supply by increasing the amount of sodium hydroxide, also known as lye, in the water from 100 parts per million to 11,100 parts per million. The attempt was thwarted by an operator who was able to reverse the change to the settings before the toxic levels of the chemical reached the water.
Last month in June, media reported on a hacker who in January attempted to poison a water treatment plant that served parts of the San Francisco Bay Area. “The hacker had the username and password for a former employee's TeamViewer account, a popular program that lets users remotely control their computers,” according to the report. After logging in, the hacker reportedly deleted programs that the water plant used to treat drinking water.
The vulnerability of the nation’s drinking water supplies was underlined at a 21 July 2021 hearing of the US Senate Committee on Environment and Public Works regarding cyber threats to critical infrastructure. In his opening statement, Committee Chairman Tom Carper, D-DE warned of the “mounting cybersecurity challenges facing our nation’s drinking water and wastewater systems. Carper cited a 2019 report by the American Water Works Association, that listed cyber-risk as the number one threat facing the US water sector. “Just one year earlier, the Department of Homeland Security and the FBI warned that the Russian government was specifically targeting the water sector and other critical infrastructure as part of a multi-stage intrusion campaign,” Carper said.
The Cyberspace Solarium Commission, a nonpartisan group established in 2019 to develop a strategic approach to defending the United States against cyber threats, identified the nation’s water and wastewater utilities, as comprising one of the components of the nation’s critical infrastructure system most vulnerable to cyberattacks, along with the electric grid and the financial system. “Gaps in utilities’ network configurations, insecure remote access systems and outdated training regimes are just of few of the vectors through which Americans’ water infrastructure is vulnerable to cyber-enabled exploitations,” according to the commission’s 2020 report.
There are around 70,000 separate water utilities in the US. Cybersecurity experts say the fragmented nature of the US water supply network, there are about 70,000 individual water and wastewater utilities across the country, contributes to the vulnerability to cyber intrusions. In comparison with the companies that make up oil and gas pipeline network or the electric grid, many of these water systems are smaller, have outdated information technology (IT) equipment, and lack the budgets to adequately update their cyber defenses.[1]
The CEO of cybersecurity firm ThreatLocker, said for small water utilities, such as the one in Oldsmar, the lack of resources to hire highly skilled IT professionals is a big problem. “With a water company of that size, you might have one, two or three IT people managing the entire thing and they’ve been in the same job for 20 years. They don’t even know the risks,” he said. “It wouldn’t be unrealistic to expect a local municipality to be increasing their IT spend to between $500,000 and a million dollars per year to get where they need to be,” he added. “And it’s not just about spending money. It’s making sure you put the right things in place to take control of your environment.”
The Oldsmar breach represented “a failure on multiple levels,” ThreatLocker said. First, there were insufficient steps taken to ensure that an intruder could not access the IT system through the Internet from a remote computer. Second, there was a lack of separation between the IT system, which the hackers were able to access, and the system that controlled the operations of the water treatment plant. “Even though they had gotten into the IT systems, they shouldn’t have been able to increase the levels of sodium hydroxide,” Jenkins said.
“What we saw in Oldsmar, Florida unfortunately is an incident that’s waiting to happen in many water utilities,” said the chief product officer at cybersecurity company Claroty. He said water utilities tend to be under-resourced in terms of both their technology and the cyber skills of their employees. “Addressing this problem is going to require a broad set of tactics, everything from replacing obsolescent infrastructure, patching the environments, building cyber skills for OT operators and providing governance at the [corporate] level,” he said.
BlueVoyant, said water utilities will need to continuously work to upgrade their equipment, software and technology processes, and to increase the skill levels of IT workers in order to respond to the ever-evolving nature of cyberattacks. “IT network protection is a constant game of cat and mouse. There is no good clean state where you can rest,” he said. “We cannot rely just on technology. We need to have the right processes in place to stay in front of the threat.”
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
[1] https://www.forbes.com/sites/jimmagill/2021/07/25/us-water-supply-system-being-targeted-by-cybercriminals/
Comments