Officials in Florida announced that hackers came scarily close to poisoning the city of Oldsmar by changing the chemical levels during a breach of the computer system at the local water treatment plant.
It was a wake-up call, said Pinellas County Sheriff Bob Gualtieri. “Water systems, like other public utility systems, are part of the nation’s critical infrastructure and can be vulnerable targets when someone desires to adversely affect public safety.”
The Guru reached out to several cybersecurity experts to get their reactions on the news:
Bryan Embrey, director of product marketing at Zentry Security:
“This event illustrates that attacks are not limited to financial or personally identifiable information, but also industrial systems including control systems, energy, transportation, and water. Moreover, few attacks are witnessed ‘in progress’ by staff – most are more covert in nature. This attack could have been further mitigated by leveraging zero trust principles such as multi-factor authentication (MFA) and least-privilege policy access, preventing an unauthorized user from gaining access to sensitive resources.
Infrastructure attacks are becoming more common. Attacks against Supervisory Control and Data Acquisition (SCADA) systems and control systems are increasing in frequency. Ukraine has suffered power outages and Chernobyl radiation monitoring issues in recent years due to cyberattacks, and Israel prevented an attack on its water system in mid-2020. But other countries including USA, Japan, and Iran (most famously due to Stuxnet) have also been victims of industrial attacks, according to CISA (Cybersecurity & Infrastructure Security Agency). And analysts believe that electrical grids in North America will be increasingly targeted. Wider implementation of zero trust technologies like MFA, access policy deployment, and end-to-end encryption, as well as greater awareness of both security in critical infrastructure (CI) and common attack vectors like spear phishing can mitigate and possibly lessen the impact of future attacks.”
Sam Curry, chief security officer at Cybereason:
“With the U.S. Secret Service and FBI involved in trying to determine the cyber culprits poisoning the Florida water supply, this is another reminder that cyber threats against critical infrastructure networks are real. For nearly a year since the beginning of COVID-19 pandemic, threat actors have carried numerous acts of war against research companies, hospitals and other first responders. These attacks are brazen, shocking and downright maniacal. While this attack wasn’t against Florida’s two largest counties, Miami-Dade or Broward County, any attempt to poison a water supply should raise the eyebrows of local and state officials.
“What’s surprising about the manipulation of chemical levels in Florida’s water supply is the bad actors tipped their hands without first doing proofs of concept or stockpiling attacks for later use. What we don’t know if any successful attacks have taken place over the past few months and possibly not reported. It is premature to infer what the motive of the attackers were and who they are. The actor at this point could be script kiddies, terrorists, criminal ransom, nation state of any other actor. The correct response should be due process: investigate, understand, learn, improve, follow the investigation and data and constantly get better. Acts of War are determined by the State and among states. If the U.S. can point to a culprit and says it is, then that’s what matters. The details thus far are scant but we will all be listening to the postmortem and hope the current administration provides a deeper response and holds the adversaries responsible for this act responsible. To be clear, the investigation is what matters. Where is leads, who it involves and how we interpret that are all to be determined.”
Tim Erlin, VP at Tripwire:
“While this incident will rightfully cause concern, it appears that likelihood of real damage was minimal due to the fail safes in place. There are real impacts to be worried about, and actions to be taken, but this doesn’t appear to be a sophisticated or novel attack.
“From a cybersecurity standpoint, we should be particularly concerned about how the attacker was able to authenticate into the remote access software. That entry point should be very well protected, given that it provides access to such obviously sensitive capabilities. Protecting remote access into industrial systems where these types of changes can be made should be a high priority for any industrial environment.”
Hugo van den Toorn, manager for offensive security at Outpost24:
“This is a good example of how cyber-attacks can have a tangible impact and risk on our daily lives. These systems should not be accessible by unauthorized individuals over the Internet. Management of these devices should always be placed entirely out of band to prevent issues like this. The fact that this required an operator to physically spot the mouse move might have been sheer luck in detecting this attack. There should be detective and responsive digital security systems in place instead of relying solely on an individual watching the right screen at the right moment. Let us hope forensic investigations prove that this was just a random act of hacking, instead of an attacker with a more sinister motive.”
Brian Higgins, security specialist at Comparitech.com:
“A similar attack was reported by Verizon in 2016. Back then it was a water filtration plant in Syria, during the civil war. The underlying security issue is one of SCADA vulnerabilities. Supervisory Control and Data Acquisition networks are relied upon to manage critical infrastructure across the globe but they are predominantly reliant upon older, legacy systems which were not designed to be integrated or connected to the internet. Pre-digital design was based on ‘air gapping’ the critical components but it has become more and more obvious to malicious actors that those gaps present unprotected points of entry for malicious software. Nation State Security Services are aware of these vulnerabilities and I would expect the authorities involved to provide a solution to the citizens of Florida currently affected by this incident.”
Niamh Muldoon, Global Data Protection Officer at OneLogin:
“This targeted attack appears to have started by the ‘bad actor’ getting access to a vulnerable network/system and working their way through the network trying to find the next weak access point while gathering data and understanding how the organization operates along the way. In this instance, understanding the information assets, applying not only MFA but enhanced multi-factor authentication, would have reduced the risk of this unauthorized attack materializing. It’s a critical part of the MFA policy to enforce time limits for end-users and their trusted devices to re-authenticate, requiring them not only to validate themselves but also the identity of the device trying to access critical systems/applications and the network. Without knowing more of the details, applying enhanced MFA to the execution of critical actions particularly for IT and systems administrators would have reduced the associated risk further. Having logging in place, and understanding logged events would support with the associated monitoring and alerting events. After the event has happened, crisis management is critical for successfully managing the attack response to reduce business impact and consequences, and it appears the Florida agency has done that.”
Andrea Carcano, co-founder at Nozomi Networks:
“Unfortunately this attack plays into a troubling trend we’ve been following over the last year. As the pandemic forced critical infrastructure organizations to quickly shift to remote access options to keep systems up and running , we’ve seen threats rise and bad actors reach new lows – setting their sights on life threatening targets. Fortunately, in this case, operators monitoring Oldsmar’s treatment plant spotted the attack and were able to respond before anyone could be harmed. But it’s a stark reminder that with limited cybersecurity resources and few regulations water utilities are vulnerable to attack. When it comes critical infrastructure, operational resilience must a top priority and advances in AI-powered OT security and network monitoring are available to give operators the network visibility they need to quickly spot trouble and respond before harm is done.”
Richard Bejtlich, strategist and author in residency at Corelight: