Insight: Florida city’s water supply attack

Last week criminals accessed a Florida water treatment facility's system through the remote desktop software, TeamViewer and increased the amount of sodium hydroxide to dangerous levels (more than 100 times the normal), which would severely damage any human tissue it touches.

The plant provides water to around about 15,000 residents in the city of Oldsmar.

The employee who noticed the intrusion quickly reset it back to normal levels and local officials say the public was never in danger and that redundancies would have triggered alarms had the levels set by the attacker not been detected by an operator.

NCC Group’s Damon Small and Jim McKenney share their thoughts on what happened.

How did the attacker get in?

We don’t yet know for sure, but it appears that the adversary was able to connect to commercial remote access software installed on a computer. By the victim’s own admission, such remote access was used often. The fact that the mouse on the computer was moving did not become alarming until the configuration of the water treatment was changed in a dangerous way.

The intrusion was detected and remedied quickly, and this is a good sign.

Water treatment facilities are complex systems of old and new technologies that require a detailed understanding of technology, operations and process control to maintain reliability, availability, maintainability, safety and security.

It is a good sign that the operator noticed the change and quickly reset it back to normal levels. A trained and observant operator is crucial to this. This positive outcome to a cyber-attack emphasizes the need for the “out-of-the-loop” human element to safeguard system critical to quality (CTQ) and safety critical (SC) functions.

Are we likely to see more attacks like this, and if so, why?

It is possible, yes. Having local support at every facility is costly, so providing for remote access in and of itself is not a bad thing. However, it is likely that this organization did not configure their remote access software to require strong authentication. We should resist the urge to make assumptions at this point, but until we know who the adversary was and whether it was an insider attack or someone from the outside, it is impossible to know for sure what led to the unauthorized access.

What needs to happen?

Any operator should be sure to use strong authentication for its remote access systems. They should not use shared usernames and passwords, and if possible, they should require the use of multi-factor authentication (MFA). MFA requires a username and password, and then another code of sorts from a mobile device or other application that an attacker would not likely have access to. MFA makes unauthorized access much more difficult to achieve.

We must be mindful that this industry is under a great deal of pressure to decrease costs and often, at first glance, the most expedient way to achieve this is to sacrifice labor by pursuing software and cloud-based automation solutions.

We must also be mindful of the potential negative consequences of this choice and the cyber risks this exposes the public to.

Although this was an unfortunate event, the water authority should be credited for being transparent in their hosting a press conference very soon after the incident was discovered.

Cybersecurity incidents will continue to happen against critical infrastructures, and the more we communicate openly about them the better we will become at preventing them.