Water plant attack highlights vulnerability of industrial networks

April 18, 2021

Cyber security experts agree that the attack on the Oldsmar water treatment plant in the US state of Florida was easily preventable. This raises a “red flag” regarding the security of critical infrastructure.

On February 5 of this year, Oldsmar faced a cyberattack that resulted in a drastic change in the chemical mixture used to treat the water. The attacker was inside the system for less than five minutes and the plant operator reversed the chemical change immediately.

The cyber-attack targeted the chemical balance of the water, probably to poison the city’s 15,000 or so residents. The plant operator, who reversed the changes caused during the attack, said that the levels of sodium hydroxide (commonly referred to as caustic soda) increased from 100 parts per million to 11,100 parts per million, a dose that can cause complications such as irritation, burning, vomiting, and even death.

A clear example, indeed, of how an intrusion into critical infrastructure, at any level, is capable of putting lives at risk. It underscores the need for intelligent, real-time monitoring of critical infrastructure. Network monitoring with anomaly detection would have reported the login on the morning of the incident as suspicious and potentially dangerous.

Although no damage was caused by the incident, it shows once again how vulnerable industrial networks are. It also shows how quickly and easily a critical infrastructure serving thousands of people can be targeted for disruption.

An analysis by the Nozomi Networks Labs team claims that the attack on Oldsmar was quite simple. If a low-sophisticated attacker could, with a few mouse clicks, start the process of mass poisoning of the population, what could an average or highly skilled attacker do?

The most likely hypothesis is that the attacker was able to breach the system by using a remote access software known as TeamViewer. According to the CSO publication, the software has a history of insecurity but was the most affordable option to solve the need for a home office in the midst of the Covid-19 pandemic. The attacker accessed an Industrial Controls System (ICS) remotely, likely using stolen or lost credentials. 

If TeamViewer had not been installed, the attack probably would not have happened. It was that application that allowed the attackers to gain access to SCADA equipment, exposed directly to the Internet. And this is one of the most valuable lessons of this episode: industrial control systems (ICS) and SCADA equipment should be kept isolated and protected from the rest of the computer network.

If ICS or SCADA systems are exposed to the Internet, additional controls must be implemented to mitigate the risk. If remote access software is used, it should take advantage of a one-way approach, so as to limit the user’s actions to viewing the remote device only. In addition, a firewall needs to be installed. Connecting any technology to the Internet without a firewall is a recipe for disaster.

Oldsmar highlights the vulnerable state of many ICS installations

Understanding that we will have to live with these types of remote access and supply chain risks in the unforeseen future, how can we reduce the impact of the risks?

For starters, real-time attack detection should not be left to the guesswork of a vigilant operator. Even if subsequent security layers were likely to report the massive increase in the chemical sooner rather than later, there is doubt that the tampering would have been avoided in time to prevent the worst if the attacker was a bit more sophisticated.

The incident underscores the need for an end-to-end intrusion detection system capable of detecting and reporting any changes to critical infrastructure networks in real-time, points out Klaus Mochalski, CEO of Rhebo, in an article for Paesller’s blog.

In addition, he said, an industrial endpoint protection system would have added the ability to automatically prevent certain operations directly on remotely controlled assets.

In cases like this, protection mechanisms at the edges of infrastructure are of particular importance. “They are effective when the first access to the system occurs. Because they make it possible to stop attacks before they get too far. And they also help prevent lateral movement of the attack,” he comments.

Through a combination of proactive defensive protection and enhanced visibility or network monitoring, critical infrastructure managers can better position themselves against intrusion attempts.

Taking and continuously updating an inventory of all network assets allows security teams to gain real-time network visibility into their devices, connections, communications, and protocols to better monitor, identify and troubleshoot network problems that threaten reliability.

Not coincidentally, since last year, organizations are placing more emphasis on threat detection in critical infrastructure services. In fact, cybersecurity spending in this area is expected to exceed $105 billion this year, with the Asia-Pacific region leading the spending, according to ABI Research.

In July 2020, a study by CyberNews highlighted how easy it would be for an attacker to enter U.S. critical infrastructure through insecure industrial control systems (ICS). This could be done simply by attackers using search engines and dedicated tools to scan all open ports and remotely take control.

“Similar attacks could also happen in the UK and the rest of Europe,” says Scott Nicholson, director of cybersecurity and data privacy expert at Bridewell Consulting, as well as a consultant to the UK National Cyber Security Center (NCSC).

In his recently published report “CNI Cyber Report: Risk and Resilience“, Bridewell writes that there is a large gap between the perceived threat of a cyber-attack and the actual threat to CNI. Although 78% of the 250 organizations he surveyed are confident that their operational technology (OT) is protected against cyber threats – and 28% very confident – it appears that this does not match reality.  Indeed, 86% of organizations have detected cyber-attacks on their OT / ICS environments in the past 12 months, with nearly a quarter (24%) experiencing between one and five successful attacks.

Water and transportation have been the industries that have experienced the most successful attacks. But the aviation, chemicals, energy segments are also constant targets.

5 steps to help protect critical infrastructure from attack

  1. Secure remote access – remote access is often the easiest way for attackers to infiltrate a network. Managers need to make it secure using endpoint protection, good password management, and secure authentication methods, and the use of firewalls.
  2. Invest in asset inventory – if you can’t see all the devices on the network, it is impossible to secure or segment the network for greater resiliency. By maintaining a real-time inventory of all network assets, security teams can gain accurate visibility into their devices, connections, communications, and protocols.
  3. Identify and remediate vulnerabilities – Industrial networks contain thousands of OT and IoT devices from multiple vendors. Unfortunately, most are not designed to the level of security required for a critical infrastructure environment. Tools that identify system vulnerabilities, using the National Vulnerability Database (NVD), can help determine which devices are at risk, prioritize and recommend firmware updates.
  4. Monitor anomalies – Automated network anomaly detection solutions leverage Artificial Intelligence to perform anomaly detection against actual parameters that are used to control the industrial process.
  5. Securing the integration of OT and IT networks – OT knows how to meet production goals and keep the plant running safely, while IT can solve network and cybersecurity problems. Combining the two can give greater resilience, reducing blind spots and security risks around highly connected industrial control systems. Still, OT will also require dedicated security tools.