Stay up-to-date on water infrastructure cybersecurity by becoming a member of WaterISAC.
Update 2/17/21
Cybersecurity and Infrastructure Security Agency released their initial review of the incident.
“On February 5, 2021, unidentified cyber actors obtained unauthorized access to the supervisory control and data acquisition (SCADA) system at a U.S. drinking water treatment facility. The unidentified actors used the SCADA system’s software to increase the amount of sodium hydroxide, also known as lye, a caustic chemical, as part of the water treatment process. Water treatment plant personnel immediately noticed the change in dosing amounts and corrected the issue before the SCADA system’s software detected the manipulation and alarmed due to the unauthorized change.
As a result, the water treatment process remained unaffected and continued to operate as normal. The cyber actors likely accessed the system by exploiting cybersecurity weaknesses, including poor password security, and an outdated operating system. Early information indicates it is possible that a desktop sharing software, such as TeamViewer, may have been used to gain unauthorized access to the system, although this cannot be confirmed at present date.”
WaterISAC has provided updated analysis of the hack.
“The dust (new details/disclosures) seems to be settling on the incident at the Oldsmar, Florida Water Treatment Plant that occurred on February 5, 2021. If you haven’t already, now is a good time to assess that your utility is not as vulnerable to the same basic cybersecurity shortcomings that reportedly contributed to the incident and/or have been identified during the investigation.
Original post 2/10/21
Today officials in Florida announced that late last week an unknown malicious actor infiltrated a water treatment plant in the city of Oldsmar and made changes to chemical levels in the treatment process. Fortunately this activity was quickly observed by a plant operator and reversed. Officials indicated that the public was never in danger due to the operator’s quick action as well as to other measures that would have prevented the release of the water into the distribution system.
Access the press conference recording and related local news article.
Speaking about the incident during a press conference earlier today, the Pinellas County Sheriff noted that a plant operator observed two intrusions last Friday that were hours apart. In the second intrusion, which lasted about five minutes, the operator saw the mouse moving around as the hacker accessed various functions. One of these functions controls the amount of sodium hydroxide in the water, which the malicious actor changed from about 100 parts per million to 11,100 parts per million. The operator observed this change and immediately reversed it. The Sheriff also emphasized it would have taken between 24 and 36 hours for the water to reach the distribution system and that there are redundancies in place to check water quality before release.
Law enforcement authorities are still investigating the incident. They indicated they currently do not know whether the compromise originated from the U.S. or abroad.
While unfortunate, this incident should come as no surprise. The ICS cybersecurity community has been warning of such incidents for years. WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities includes a reference example of an attempted chemical addition in a what could happen scenario: “Blended attacks with long-lasting impacts can be mitigated by physically preventing access to process equipment and by installing independent cyber-physical safety systems. These systems should prevent conditions such as excessive levels of pressure, chemical additions, vibrations or temperature change from occurring due to malicious acts against a compromised control system.” And while there are other incidents, we do not have to go very far in history for several real world examples with multiple similar attacks on the Israeli water infrastructure in 2020 (reported in several Security & Resilience Updates).
As more is learned about this incident, WaterISAC will share information with its members and partners to help inform their security measures. In the meantime, WaterISAC strongly recommends members review and implement the mitigation measures bellow to protect themselves from similar activity:
Recommended Mitigations:
WaterISAC also urges members to report incidents and suspicious activities, first to local and other law enforcement authorities and then to WaterISAC by emailing analyst@waterisac.org, calling 866-H20-ISAC, or using the online incident reporting form.
– The WaterISAC Team