Real world risk to people’s health from hackers demonstrated, after cyber attack attempted to poison water supply for an entire US city
The frightening risk to human health posed by computer hackers has been demonstrated this week after an incident in the United States.
In a press conference on Monday, held by officials of the US city of Oldsmar in Florida, they revealed a hacker had gained access to the water system of the city and tried to pump in a “dangerous” amount of a chemical.
Sheriff Bob Gualtieri, alongside Oldsmar’s Mayor Eric Seidel and City Manager Al Braithwaite, explained that the hacker last Friday had gained access to an internal ICS platform and briefly increased the amount of sodium hydroxide (lye) in Oldsmar’s water treatment system.
Sodium hydroxide is highly corrosive and is often used in drain cleaners. It can cause irritation to the skin and eyes, along with temporary loss of hair.
However swallowing it can cause damage to the mouth, throat and stomach, and trigger vomiting, nausea and diarrhoea.
Thankfully for all concerned, a worker spotted the attack and reversed the action, but the consequences of the attack could have been very serious.
“There’s a bad actor out there,” Oldsmar Mayor Eric Seidel is quoted as saying.
The targetted water treatment facility supplies water to 15,000 residents and businesses in the city.
This attack has prompted speculation as to why the systems controlling vital infrastructure were not properly air gapped, but US officials on the press conference pointed out that even if the water tampering had not been quickly detected by the operator as it was in this case, there were redundancies in place.
These include manual quality control checks, as well as sampling and testing by registered professional engineers, all of which are carried out to ensure water quality and public safety.
It is reported that the remote access programme to the Oldsmar water system has been temporarily disabled.
No arrests have yet been made, and it is not known if the hack originated within the US or aboard.
Security experts have warned for years about the risks to industrial control systems from hackers.
“Since last year, Mandiant Threat Intelligence has observed an increase in cyber incidents by novice hackers seeking to access and learn about remotely accessible industrial systems,” noted Daniel Kapellmann Zafra, manager of analysis at Mandiant Threat Intelligence. “Many of the victims appear to have been selected arbitrarily, such as small critical infrastructure asset owners and operators who serve small populations.”
“Through remote interaction with these systems, actors have engaged in limited-impact operations but none of these cases has resulted in damage to people or infrastructure,” said Kapellmann Zafra. “Fortunately, industrial processes are often designed and monitored by professional engineers who incorporate safety mechanisms to prevent unexpected modifications.”
“We believe that the increasing interest in industrial control systems by actors of this nature is the result of the increased availability of tools and resources that reduce the barrier to learn about and interact with these systems,” he said.
“While the incident does not appear to be particularly complex, it highlights the need to strengthen the cybersecurity capabilities across the water and wastewater industry similarly to other critical infrastructure sectors,” said Kapellmann Zafra.
Another expert said this example showed the need to properly air gap critical infrastructure.
“All systems used for critical networks like these should have very limited, if any, Internet access,” noted Karl Sigler, senior security research manager SpiderLabs at Trustwave.
“User accounts and credentials used to authenticate locally on the workstation and for TeamViewer should be changed frequently and utilise multi-factor authentication.”
“In this instance, it was lucky that the user was physically there to see the remote control and what settings had changed, but all critical activities should be audited, logged and monitored for abuse,” said Sigler.
Remote access vulnerability
Another security expert said the attack demonstrated the need to reconsider the merits of allowing remote access technologies within industrial control systems.
“One of the best ways to run a company network is to constantly think like a hacker,” explained Jake Moore, cybersecurity specialist at ESET. “Connecting systems to the internet that have the potential to cause critical changes with relative ease is asking for trouble. Luckily, they had redundancies in place that would have made a fatal outcome unlikely.”
“However, whenever anything is connected to the internet there is a level of vulnerability, especially if remote tools such as Teamviewer are set up,” said Moore. “Segregating networks for maximum security is vital; if their network could be controlled externally by anyone then it offered up the chance to be controlled nefariously.”
“Thankfully the potentially lethal actions were spotted whilst in progress, but this highlights that humans still look for the easiest path of resistance and will connect remote tools for ease of use, sparing the thought of them being misused,” said Moore. “Teamviewer and other remote tools have greats uses, however, if there is the potential for users to change sodium hydroxide levels, which would end up in people’s homes, then it really should be reconsidered.”
Another expert pointed out this attack demonstrated the vital importance of this type of infrastructure, which is under strain at present during the global Coronavirus pandemic.
“The attack against Oldsmar’s water supply is precisely the kind of assault on critical national infrastructure (CNI) that cybersecurity experts have been fearing for years,” noted Stuart Reed, UK Director at Orange Cyberdefense.
“It is frightening to think what might have happened if it was not for the vigilance of one of the plant’s operators,” said Reed. “Covid-19 has already placed enormous strain on UK infrastructure. As the government and NHS wrestle with the pandemic, it’s hard to imagine how the country could cope at this time if there was any major disruption to the UK’s supply of electricity or water.”
“Nonetheless, key facilities worldwide are constantly being probed for weaknesses, and there are still significant concerns about the readiness of CNI to weather increasingly sophisticated cyber-attacks, with many facilities believed to run on out-of-date and vulnerable IT systems,” said Reed. “The incident in Florida will go down as yet another near miss, but it is clear that CNI will remain a key target for hackers – inaction can no longer be tolerated.”
“Organisations responsible for the security of our CNI need to ensure that a layered approach to cybersecurity is in place, focusing on installing the best and most up-to-date software and technology possible, supplemented by investment in both people and process,” said Reed. “Only then will we have the right combination of safeguards in place to ensure that our critical infrastructure, key services, and health and safety, is not solely reliant on the watchfulness of the man or woman on duty at the time of an attack.”