Aquatic attack emphasizes the impact of cyber on physical security
At a water treatment facility in Oldsmar, Florida, on February 5, an operator was watching a computer screen when someone remotely accessed the system to monitor the water supply and increased the amount of sodium hydroxide from 100 ppm to 11,100 ppm. The chemical, also known as lye, is used in low concentrations to control acidity in water. In larger concentrations, the compound is toxic – the same corrosive chemical used to erode clogged drains. The Impact of Cybersecurity Attacks The incident is the latest example of how cybersecurity attacks can translate into real, even fatal, consequences for physical security. Cybersecurity attacks on small municipal water systems have been a problem for security professionals for years. The computer system has been set up so that only authorized users are allowed remote access. The source of the unauthorized access is unknown. However, the attacker was only in the system for 3 to 5 minutes, and an operator soon corrected the concentration back to 100 ppm. It would have taken a day or more for contaminated water to get into the system. In the end, the city’s water supply was not affected. There were other safeguards in place that would have prevented contaminated water from entering the city’s water supply, which serves around 15,000 residents. The remote access used for the attack has been disabled pending investigation by the FBI, intelligence and the Pinellas County Sheriff’s office. On February 2nd, a compilation of compromised usernames and passwords known as COMB for “Compilation of Many Breaches” was posted online. COMB contains 3.2 billion unique email / password pairs. It was later discovered that the breach contained credentials for the Oldsmar Waterworks. Attacks on water facilities feared for years Cyber security attacks on small municipal water systems have been a problem for security professionals for years. Florida Senator Marco Rubio tweeted that attempts to poison the water supply should be treated as a “national security matter”. “The incident at the Oldsmar water treatment plant is a reminder that our country’s critical infrastructure is constantly at risk. not only from nation-state attackers, but also from malicious actors with unknown motives and goals, ”comments Mieng Lim, Vice President Product Management at Digital Defense Inc., a provider of solutions for vulnerability management and threat assessment. The Oldsmar Water Treatment Attack The system shows how critical national infrastructures are increasingly becoming a target for hackers as organizations bring systems online. “Our dependence on critical infrastructures – power grids, utilities, water supply, communications, financial services, emergency services, etc. – emphasizes daily the need to ensure that the systems are defended against any adversary,” adds Mieng Lim. “Proactive security measures are critical to protecting critical infrastructure systems when perimeter defenses have been compromised or bypassed. We need to get back to basics – reassessing and rebuilding security protection from the ground up. “This event reinforces the growing need to authenticate not only users, but also the device and machine identities authorized to connect to a company’s network,” added Chris Hickman, chief security officer at digital identity security provider, key factor, added protection is user authentication, it is compromised. It’s not necessarily about who is connecting to the system, but about what that user can access once they are on the system. “If the network could have authenticated the validity of the device connecting to the network, the connection would have failed because hackers rarely have authorized devices. This and other cases of hijacked user credentials can be limited or mitigated when devices Obtain strong, crypto-derived, unique credentials such as a digital certificate. In this case, the network appears to have trust in the user credentials but not the validity of the device. Unfortunately, such a scenario can happen if no trust is your end state and not your starting point “The attack on Oldsmar’s water treatment system shows how critical national infrastructure is becoming increasingly a target for hackers as organizations bring systems online for the first time as part of digital transformation projects,” said Gareth Williams, vice president of secure e communication and information systems at Thales UK. “The move towards more automation and connected switches and control systems offers unprecedented opportunities, but it is not without risk. Anything brought online instantly becomes a target to be hacked. “Operational Technology to Mitigate Attacks Williams encourages companies to approach operational technology as a separate entity and adopt procedures that can mitigate the effects of an attack that could ultimately cost lives. This means understanding what is interconnected, who has access to it, and what else could be at risk if that system is compromised, he says: “Once this is in place, you can secure access through protocols like access management and resilient systems.” “The cyberattack on the Oldsmar water supply should be a wake-up call,” says Saryu Nayyar, CEO of Gurucul A perfect example of what we warned about, “she says. While this attack was unsuccessful, there is little doubt that a skilled attacker could carry out a similar infrastructure attack with more destructive results, says Nayyar. Organizations tasked with running and protecting critical public infrastructure must take the worst and take more serious steps to protect their environment, she advises. Fortunately, Oldsmar had backup systems. What might have been a tragedy turned into a cautionary story. Both physical security and cybersecurity professionals should be aware of this.