UPDATE: Feb. 12, 2021: Hackers gained remote access to the Oldsmar, Florida water plant's supervisory control and data acquisition (SCADA) system via the TeamViewer software, according to an advisory from authorities in Massachusetts. The SCADA system was connected throughout the water plant's computers, which were all using the same password for remote access.
The computers were running the outdated Windows 7 operating system, which "will become more susceptible to exploitation due to lack of security updates and the discovery of new vulnerabilities," the Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory Thursday. Microsoft discontinued support for the OS in January 2020.
The water plant's computers were also connected openly, without a firewall, to the internet, according to Massachusetts authorities.
CISA advises water and wastewater systems to install cyber-physical safety system controls, including gearing on valves and pressure switches. The controls protect smaller water plants with insufficient cybersecurity resources "from a worst-case scenario" for accessing systems.
Oldsmar representatives did not respond in time to Cybersecurity Dive's request for comment.
- The City of Oldsmar, just outside of Tampa, Florida, was targeted by a cyberattack in its water treatment plant on Friday, said Sheriff Bob Gualtieri in a press conference Monday. A criminal investigation with the FBI and Secret Service is underway.
- A plant operator noticed remote activity on the TeamViewer software around 8 a.m. Friday. The software allows for remote access for troubleshooting, and the operator assumed the actions were by a supervisor, said Gualtieri. It wasn't until the afternoon the unauthorized actor began opening functions pertaining to water treatment.
- The actor accessed the function controlling the levels of sodium hydroxide in the water, altering the amount from 100 parts per million to 11,100 parts per million, overreaching safe levels for consumption. The plant operator watching the activity reverted the levels back immediately. "The public was never in danger," said Gualtieri.
The Oldsmar attack wasn't a sophisticated, undetectable hack as the operator followed the remote actor's mouse travel across the computer screen. However, had an operator not been there to follow along the activity, the breach might have been missed.
"This is somebody that is trying — as it appears on the surface — to do something bad. It's a bad actor," said Gualtieri. "This type of hacking of critical infrastructure is not necessarily limited to just water supply systems."
Most threats to operational technology and industrial control systems (ICS) are outdated software and limited patches. Vulnerable ICS can come with decades-old equipment.
In the second half of 2020, industrial cybersecurity company Claroty found a 25% increase in disclosed ICS vulnerabilities from 2019. It was a 33% increase just from H1. Of the 449 disclosed vulnerabilities across 59 vendors, 70% were considered high or critical Common Vulnerability Scoring System (CVSS) scores. More than three-quarters of the vulnerabilities didn't need authentication to be exploited.
Over the years, the barrier between IT and OT was purposely fractured for ease of use, leading to malicious activity. Stuxnet was one of the first examples of malicious activity worming its way into an uranium enrichment facility in 2010. In 2013, foreign adversaries breached a dam outside New York City.
When cyberattacks escalate to the potential of bodily harm, it raises the question of how far can cyberthreats reach before it violates international laws.
"Someone tried to hurt (potentially kill) people through a cyberattack. That’s a big deal. All the other details are important to discuss and debate but we can’t lose the bigger picture," tweeted Dragos CEO Robert Lee.
Sodium hydroxide is the primary ingredient in liquid drain cleaners, according to Gualtieri. The additional amount of the substance would've taken between 24 and 36 hours before reaching the water supply and reaching safety redundancies and pH alarms.
Critical infrastructure in the energy, manufacturing, and water and wastewater industries are most at risk of exploitation, Claroty found. In H2 of 2020, the water and wastewater sectors accounted for 111 vulnerabilities found in The National Vulnerability Database (NVD) and in vulnerability advisories published by the Industrial Control System Cyber Emergency Response Team (ICS-CERT). In 2019, there were 72 disclosed vulnerabilities in the sector.
The Oldsmar treatment plant has since disabled the program and will "make some upgrades to other parts of the system" to prevent similar activity, said City Manager Al Braithwaite, during the press conference.