Hacker breaks into Florida water treatment facility, changes chemical levels

Hackers broke into a water treatment facility in Florida, gained access to an internal ICS platform and changed chemical levels, making the water unsafe to consume.

Authorities in Pinellas County are investigating the incident with the help of federal and other local law enforcement agencies. Sheriff Bob Gualtier said on Friday, February 5, hackers remotely accessed a computer system that a plant operator was monitoring. The computer system was set up with a software system that allows for remote access where authorized users can troubleshoot system problems from other locations. "The remote access at 8 a.m. on Friday morning was brief and the operator didn't think much of it because his supervisor and others will remotely access his computer screen to monitor the system at various times," said the Sheriff.

Nothing happened from that intrusion early in the morning, Sheriff Gualtier said. However, at 1:30 p.m., someone again remotely accessed the system and it showed up on the operator's screen with the mouse being moved about to open various software functions that control the water being treated in the system. "The [hacker] remotely access the system for about three to five minutes opening various functions on the screen. One of the functions opened by the hacker was one that controls the amount of sodium hydroxide in the water. The hacker changed the sodium hydroxide from about 100 parts per million to 11,100 parts per million," the Sheriff explained.

"This is obviously a significant and potentially dangerous increase. Sodium hydroxide, also known as lye, is the main ingredient in liquid drain cleaners. It's also used to control water acidity and [to] remove metals from drinking water in the water treatment plants. After the intruder increased the parts per million, the intruder exited the system and the plant operator immediately reduced the level back to the appropriate amount of 100," he said.

Because the operator noticed the increase and lowered it right away, at no time, was there a significant adverse effect on the water being treated. Importantly, the public was never in danger. Even if the plane operator had not quickly reversed the increased amount of sodium hydroxide, it would have taken between 24 and 36 hours for that water to hit the water supply system and there are redundancies in place where the water had been checked before it was released, said Sheriff Gualtier.

A similar attack was launched last year in Israel, where authorities believe Iranian threat actors attempted to disrupt water supplies in at least two locations in Israel. The incident was quickly detected and thwarted before it could cause damage.

Hitesh Sheth, President and CEO at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers, explains, “Public utilities, including power and water systems, have been prime cyberattack targets for years. There’s a whole Russian cyber team, “Energetic Bear,” focused on hacking American energy infrastructure. In the Oldsmar case it’s premature to assign motive or place blame. However, we’ve seen enough breaches of the US power grid, water systems, and even nuclear plants to conclude this: protecting these critical facilities, and upgrading their cyber defenses, should be a far higher priority.”

Heather Paunet, Senior Vice President at Untangle, a San Jose, Calif.-based provider of comprehensive network security for SMBs, says, “As we begin 2021, governments, as well as every other type of business, continue to have their employees work remotely. As IT departments reacted quickly in 2020 to enable all their employees to work from home, ensuring a secure work-from-home environment took a bit longer to get right. As employees transitioned to remote work, they put their work devices onto their home networks, which would not have all the safeguards in place as their in-office network had."

Paunet adds, "This can create opportunities for bad actors to hack into networks and potentially cause dangerous situations. In the case with Oldsmar's water treatment plant, it was found that someone had access to their computer system remotely. With remote access being much more common due to fewer on-premises workers, this may not have been noticed as quickly as it should have been. When thinking about remote access, business of all sizes, and all industries should consider:

Use of VPN technologies: provide a secure tunnel, and credentials that are given to employees to access internal resources and keep critical systems protected.
Proper onboarding and offboarding: as employees join and leave a company, it is important to ensure that access is only given if needed, and revoked immediately as employees leave.
Segregation of network access: ensure that employees are only given access to the systems that they need. Putting different systems on different networks that are only accessible by the groups of employees that need them is important to ensure that if a breach does happen, less systems can be compromised.
Dedicated work devices: during times such as the rapid shift to working from home in 2020, where many employees ended up accessing systems remotely, providing a dedicated device to employees rather than allowing employees to access the corporate network from their own devices will give IT departments the most control of their infrastructure.
Continual employee training: teaching employees how to recognize phishing emails, is just as important as putting in place protective systems. As security adversaries find new ways to infiltrate networks, keeping employees trained and up-to-date will only strengthen your network security.

"While cybersecurity vendors continually come up with new solutions to guard against data breaches, there are cybersecurity adversaries that are working just as hard to break down those solutions and find new ways to get ahead of those vendors," Paunet says. "That’s why it’s important to stay a step ahead of hackers by keeping up on the latest technologies and providing multiple security layers of protection. If a bad actor does get through the strongest barriers, having multiple security layers provides protection to help isolate the threat and minimize the impact.”

Alec Alvarado, Threat Intelligence Team Lead at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, says, “The attack on the water treatment facility in Oldsmar is a chilling example of how cyberattacks can have more than just financial impacts. Systems belonging to our critical infrastructure are some of the most difficult to maintain. Every day, countless vulnerabilities are found, some of which are so critical that they need to be patched immediately. Enforcing a strong patch management strategy is challenging but is even more challenging in facilities that can't afford lengthy downtimes. Although we aren't sure how the threat actors got access to the Oldsmar water facility systems, it isn't farfetched to believe this attack could happen to other facilities. Regarding attribution, little has been released, but there are some things you can conclude based on reporting. The activity doesn't seem financially motivated, which would suggest either a nation-state actor or hacktivist conducted the attack. Hacktivism usually involves a quick claim for an attack; this is done to draw attention to their movement. Hence why defacement or DDoS is so popular in hacktivist attacks. The covert nature of this attack points more toward a possible nation-state actor.”

“Remote sessions tools, such as TeamViewer or Remote Desktop Protocol (RDP), should never be accessible from the outside. In this case, it seems that this was the case, likely combined with weak or easy to guess passwords," explains Dirk Schrader, Global Vice President at New Net Technologies (NNT), a Naples, Florida-based provider of cybersecurity and compliance software. "If these tools are in place an organization should have all precautionary measures in place to verify the settings, keep them in accordance with NIST or CIS controls, monitor the access and control any change happening to the device with this tools installed. Unfortunately, this is not always the case and attackers seem to have an easy play to get access to critical systems. It is easy to find about 250 systems using these tools connected the public internet, and within two minutes, to have access to an unprotected system belonging to a water utility provider in Florida. Previous research, including the Solarium report, have documented that Critical Infrastructures are vulnerable, and sometimes it is not hard at all to get access to one provider. That status is the same across all critical sectors including healthcare. Whether there are any access logs available in this incident is an open issue. However, the original statement seems to indicate that there are none and identification and attribution will be difficult.”

Austin Berglas, former head of FBI NY Cyber and Global Head of Professional Services, at cybersecurity firm, BlueVoyant, who was the lead on investigating The Bowman Avenue Dam that was wrapped up in an Iran hacking case, says, "Along with energy production and manufacturing, water supply facilities are part of the United State’s critical infrastructure and have long been targets for cyber attack from both criminal and state sponsored entities. Water facilities rely on systems control and data acquisition (SCADA) systems to manage the automated process or water distribution and treatment. Many of these industrial control systems (ICS) are outdated, unpatched, and available for review on the Internet, leaving them incredibly vulnerable to compromise. In addition, many ICS solutions were designed for non-internet facing environments and therefore did not incorporate certain basic security controls - this offers additional vulnerabilities as more and more operational technology environments are allowing access to their ICS systems from the Internet. In 2013, the FBI investigated a compromise of the Bowman Avenue Dam in Rye Brook NY and found that members of the Iranian Revolutionary Guard had gained access through Internet facing controls. Although the Dam was not functioning at the time and was most likely not the Iranian’s main target, it demonstrates the vulnerability of certain critical infrastructure when their ICS systems are allowed to be exposed to the Internet and not isolated."

“The explosion of Internet of Things (IoT) uses cases offers endless efficiencies, but also increased risk, for municipalities, utilities, and critical infrastructure providers. The recent remote hack of a water quality system in Florida is another case in point for cities and towns, as well as the manufacturers of the devices used in street lights, utilities, and even water systems, of the need to ensure secure communications using certificate-based authentication and other advanced cybersecurity technologies, says Alan Grau, VP of IoT at Sectigo, a provider of digital identity management and web security solutions.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

A head of state needs heart surgery at your facility. High-profile members of a national sports team are getting updated vaccinations. What do you do when you get the call?