Why OT Cyber is More Than Just Downtime: A Look at the Recent Florida Water Cyber Attack
A cybersecurity attack that almost triggered a dangerous chemical increase at a Florida water treatment plant highlights why utilities must build a thoughtful approach when deploying remote-connectivity software.
When you’re trying to decide how you’re going to do remote connectivity, you have to take into consideration security, not just convenience,” says Scott Christensen, GrayMatter’s Cyber Practice Director.
“You always need to be asking, ‘Are we doing this in a way that’s risk averse?'”
The Cyber Incident
Authorities say plant operators in Oldsmar, Fla., immediately noticed the cyber attack when a cursor unexpectedly started to move across a computer screen and increased the amount of lye the system adds to treat drinking water from 100 parts per million to 11,100 parts per million.
An operator who noticed the increase, and saw bizarre activity earlier in the day, prevented plant systems from making the increase.
Officials told Wired that they have uninstalled TeamViewer, a popular remote-access software that allows remote desktop viewing and control. Oldsmar is in Pinellas County, the most densely populated county in Florida and part of the Tampa-St. Petersburg-Clearwater metro area, which just hosted Super Bowl LV.
How Industrial Companies & Utilities Can Prepare
Christensen said that many times, utilities with limited resources and staffing rely on the default settings of remote-access software, which often does not offer the proper level of security.
“We try to minimize risk but still allow for day-to-day operations, and we do that by ensuring clients have encrypted communications, so both ends of a connection are secured and authenticated so someone can’t take advantage as they did in this case,” Christensen said.
“Another method is through deception technology, which could have diverted this attack to a fake device where no harm can occur,” he said. “That way, you don’t have to hope someone is paying attention to the screen at the very moment a hacker tries to add a dangerous amount of lye to the water.”
“A cursor unexpectedly started to move across a computer screen and increased the amount of lye the system adds to treat drinking water from 100 parts per million to 11,100 parts per million.”
Three Things Operators Can Do to Gauge Their Preparedness –
1. Evaluate risks such as remote connectivity within your ICS environment.
This includes who has access, what systems they can access and the methods used to connect.
2. Develop a hardened perimeter.
OT cyber professionals often lament the loss of the “air gap,” the technique of keeping your OT network physically disconnected from other networks. This became impractical with most modernization efforts and can be used against users as it provides a loss of visibility.
By using tools and technologies that focus on hardening and defining the barrier and by implementing compensating controls at the perimeter you can achieve a similar risk level without loss of the efficiencies of modernization. This can include tools such as encryption, segmentation, deception and authentication.
3. Engage the experts.
Many times an objective third party can help you evaluate where the gaps in your security program exist and what options exist to close that gap. Finding a partner who can perform a comprehensive review of your OT infrastructure is important.