Cyber Security Lessons: What About Our Critical Systems

Cyber Security Lessons: What About Our Critical Systems

July 30, 2021

Cyber security threats on major United States’ infrastructure systems has been called into question in recent months. With the major Colonial Pipeline hack and the JBS meat producer cyber hack in May 2021, we are seeing more of these cyber security attacks on our critical systems.

But...did you hear about the water supply system hack in Florida?

In this issue of “Cyber Hacked Stories”, we look at the February 2021 cyberattack on Florida’s public drinking water system. It highlights how the county handled the hack that appears to have been accessed via a remote desktop software.

Cyber Hacked Stories: Dangerous Cyberattacks on US Water Supply Systems

The Feb. 5, 2021, cyberattack on a public drinking water supply in Florida—an event that could have been much worse—illustrates the gaps in critical infrastructure cybersecurity and the need for full visibility across industrial control systems.

In a press conference on Feb. 8, Pinellas County Sheriff Bob Gualtieri shared details of the attack, explaining that someone remotely accessed the water treatment system for the city of Oldsmar, Florida. They were able to briefly change the levels of sodium hydroxide, also known as lye, from 100 parts per million to 11,100 parts per million.

The hacker appears to have been able to infiltrate the city’s water system via TeamViewer, a remote desktop software. According to Gualtieri, at 8 a.m. EST on Friday morning, a city employee noticed someone accessing the remote system and, at first, didn’t think anything of it since water workers regularly access the system remotely. Upon seeing the change in chemical content about five hours later, the plant supervisor quickly readjusted the levels and shut off remote access.

Sheriff Gualtieri said law enforcement officials don’t know why Oldsmar—a city with 15,000 residents near Tampa—was targeted, but they are investigating the event. He and other city officials stressed the many redundancies in the system that would have caught the change before the water went out to the public drinking water system.

For Oldsmar’s city officials, the key goal was to get the information out there and warn others.

“These kinds of bad actors are out there,” Eric Seidel, Oldsmar’s mayor, said. “It’s happening, so really take a hard look at what you have in place.”

The event wasn’t an accident, Gualtieri emphasized.

“It’s a bad actor,” Gualtieri said. “In order to get into the system, somebody had to use some pretty sophisticated [methods]. It’s the primary ingredient in liquid drain cleaners. It’s lye. If you put that amount of that substance into the drinking system, it’s not a good thing.”

Instances of industrial control system vulnerabilities are on the rise, with manufacturing, energy, water and wastewater plants among the most affected, according to a recent report from Claroty. In the first half of 2020, 449 vulnerabilities that could impact industrial systems were disclosed.

“Attacks against industrial control system (ICS) devices and operational technology networks tend to be targeted,” researchers at Claroty said. “While ICS and supervisory control and data acquisition vulnerability research is maturing, there are still many decades-old security issues yet uncovered.”

Dragos, a firm specializing in industrial and operational cybersecurity, applauded the city of Oldsmar for its transparency about the attack and offered some insight into remote access for critical infrastructure.

According to Dragos, TeamViewer is a legitimate software, but may not always be authorized in industrial environments. Visibility across industrial environments is essential.

“Had the operator not observed the attacker actively manipulating the screen, it’s possible that several other mechanisms in the water treatment plant control and monitoring system would have alerted plant staff to the condition,” Dragos said. “However, it’s also entirely possible that this action could have resulted in people getting sick or potentially even death.” 

The event also highlights the ongoing threats facing municipalities, according to Jeremy Turner, head of threat intelligence at Coalition.

“Municipalities are targets largely due to their tech debt—technologies that were established a long time ago and have not been maintained,” Turner told Advisen in an email. “In some cases, [municipalities] may be unaware that [they have these] technologies. Older organizations with strained IT budgets, like universities, hospitals and municipalities, are prime targets for this reason. Cyberattacks that have real-world impacts on physical systems or safety are a growing concern.”

The city of Oldsmar may not have properly protected its systems from outsiders, Turner added, explaining that a network scan of the municipality’s public-facing protections indicated some vulnerabilities.

“The first step they should take is to ensure that these controls are not accessible from the internet,” Turner said. “We do expect to see more cyberattacks causing physical harm, which was one of the primary motivators behind us adding coverage for these types of events. Attack patterns follow vulnerability patterns. The more connected systems of a certain kind are—like these control systems—the more likely it is that attackers will target [them].”

American Water Works Association (AWWA) CEO David LaFrance called the event a jarring reminder of the cyber threats facing water infrastructure.

“We live in a world where cyber intrusions are increasingly common in our personal and professional lives,” LaFrance said in a statement. “Given the essential nature of water service, it's well known that water infrastructure—and water treatment plants of all sizes—are potential targets of people with bad intentions.”

LaFrance highlighted the fact that a vigilant water operator was able to thwart the attack, adding that “The incident makes clear to all water utilities and governing boards that they must take action to prevent or discourage similar attacks.”

Lessons from the Cyber Hack Series

While our personal information is everywhere, it is not just private businesses who need to be vigilant. Our critical systems and infrastructure are open game for cyberattacks. So, protect yourself and your family’s personal information.

Simple Steps to Stay Secure

With cyberattacks posing such a prominent threat to your business or family, it is essential to create a plan to deal with this problem. Implementing and adhering to basic preventive and safety procedures will help protect your company from cyber threats.

Following are suggestions from a Federal Communications Commission (FCC) roundtable and the DHS’s Stop.Think.Connect. program for easily implemented security procedures to help ward off cyber criminals. These suggestions include guidelines for the company as well as possible rules and procedures that can be shared with employees.

Contact the team at Pasadena Insurance Agency to get a Cyber Liability cost estimate and learn more about how we help businesses and families protect their assets before something bad happens.