Hacker Attempts To Poison Florida Water Supply

What We Know of the Attack

One of the most disheartening things to learn about in the cyber security world is when threat actors take the liberty to use their talents to harm someone physically.  Don’t get me wrong, it’s not acceptable to do harm to disrupt lives and services, but it takes a special kind of person to want to do bodily harm to others.

Last week it was reported that a Florida metropolitan water plant was a victim of a cyber attack.  The threat actor reportedly accessed the water plant’s supervisory control and data acquisition or SCADA system to manipulate equipment that regulates the distribution of chemicals.

According to Pinellas County Sheriff Bob Gualtieri, the plant operator at the Oldsmar’s water treatment plant discovered anomalies in a computer system that was acting irregularly.  According to the plant operator, the threat actor used a popular remote monitoring software tool, typically used by IT admins and professionals to remotely monitor and access computer systems.  

The uninvited guest accessed the system at least twice that day, but the operator noticed on the second unauthorized access later that afternoon, that the user was able to increase the levels of sodium hydroxide commonly known as Lye into the water supply.  

Lye is a primary chemical used in liquid drain cleaners.  In small quantities to water systems, it is used to reduce the acidity in water and has other practical applications.  According to the Center of Disease Control (CDC), in high concentrations, Lye can cause irritation to skin and eyes as well as cause temporary hair loss.  It is recommended that if swallowed, individuals should seek immediate medical attention.

Despite how terrible an incident this could have become, it is reassuring to know that the plant had redundancy checks in place.  According to Sheriff Gualtieri, it would have taken nearly 24-hours for the increased amount of Lye to hit the water supply system and even at that point, there are testing and alerting systems in place near the end of the pipe that would allow for an emergency shutdown.  I shudder to think the outcome if those controls were bypassed and the operator had not seen the intrusion in real-time.

The Psychology of the Attack

It can’t be helped that my mind automatically goes to this being an insider attack.  The amount of time reportedly it took the threat actor to remotely log in and directly go into the right application used to distribute chemicals was a matter of minutes. I’m not familiar with the system, but to know which chemicals to elevate suggests a level of knowledge and familiarity with that particular plant’s infrastructure that would be akin to an employee or vendor familiar with the environment.   Simply put, it’s one thing to press random buttons and it’s another thing to press the right combination of buttons. 

Of course, it cannot be dismissed that this could be an outside threat as we do not know how long the reconnaissance was on Oldsmar.  It could certainly explain the familiarity with the systems.  It’s also plausible that a vendor could have been compromised and that their credentials could have been used as the initial attack vector but the method of attack rings hollow for anything more than this being an insider.  Why?  

Most technical savvy individuals know that remote software solutions like the one used, are extremely noisy and attribution is typically important to threat actors including nation-state. Among gaining access to a target’s machine, it is equally important for them to disguise their methods.  This actor was very boldent in their method. They logged in the earlier morning, quickly logged off then logged on approximately 5 hours later all visible by the plant’s employee.  If they wanted to gain access to a city of 15K people, there are less conspicuous options and methods to so.

Addressing The Flaws

Utility companies should be treated like banks.  It’s not enough to secure the front door and the physical vault, but you must take precautionary steps to secure the networks especially for systems that have the ability to cause significant bodily injury if malfunctioned and/or can be accessed through the internet.  Here are a few tips to better secure these assets:

  • Users/Passwords
    • For all systems including remote access tools, each user should have their own username and password.  Passwords rules should be enforced and include lengths of 8 characters or more, uppercase, lowercase, special and/or numeric characters.
    • Passwords should expire automatically at minimum, once every 180 days.  For critical systems, it may be more appropriate to use 90-days.
    • Inactive accounts or accounts that have not been used in 60 days, should automatically be disabled.
    • Terminated employees or vendors access should be disabled immediately.
    • It may be tempting to have one password to rule them all for the sake of ease of use; however, this makes it easier for disgruntled or skilled adversaries to retaliate or cause harm the company.
  • VPN with 2-Factor authentication (2FA)
    • We discussed the importance of 2FA in our previous post, but it cannot be stressed enough that if anyone is accessing a company network from the internet, a VPN should be in place with 2FA enabled.  The VPN will help ensure the connection is secure and can log a user for accountability purposes.
    • 2FA will also provide another layer of security in the event that the password is compromised.
  • Intrusion Detection and Prevention Systems
    • Commonly known as IDS and IPS systems, these can be fine tuned to identify and notify administrators of anomalies for incoming and outgoing connections.  If a user is logging into a system at odd hours of the day/night or multiple connections (excessive logins) are made in a certain amount of time, action can be taken.
  • Enabling Logging on Centralized Off-Site Server
    • One of the most common things overlooked when implementing security controls is logging.  Logging is the ability to track and provide attribution for users.  Coupled with a Security Information and Event Management (SIEM) tool can give an early advantage on unknown and suspicious activity on the network.
    • Having a seperate off-site server that pulls in all of the logging information will help prevent threat actors from covering their tracks and provide integrity to the logs.

The above suggested controls are not an end-all be-all, but should be considered the bare minimum technical controls put into place to help deter intrusion into critical infrastructures like the public utilities.

The Aftermath

As information develops about this event, I will update this section.

To support this blog, this post may contain affiliate links. Please read our Privacy Policy for more information.
Drawing on over two decades of experience in the Information Technology industry, I have acquired a diverse range of roles that have shaped my distinctive outlook. Through this journey, I have developed into an accomplished authority in risk management, catering to Fortune 500 companies and small businesses on a global scale. Over the past 12 years, my primary focus has centered on empowering small business owners and insurance professionals to comprehend the ramifications of cyber incidents and effectively mitigate the risks associated with potential data breaches. My passion for cybersecurity has inspired me to create the Sage Knows IT blog. Through this platform, I aim to help small business owners and aspiring IT professionals understand the roadmap of the IT industry based on my experiences. Information Technology and Information Security are crucial for our future, and I hope my blog will motivate those who are interested in joining this ever-evolving field.

Related Posts

Title Image: AI Security Realities: Rethinking PII as the Sole Indicator

AI Security Realities: Rethinking PII as the Sole Risk Indicator

During a client meeting, I addressed misconceptions about cybersecurity, especially the notion that absence of PII equates to no risk. I discussed how cyber threats extend beyond data theft to include system vulnerabilities that could disrupt operations and impact users, citing the SolarWinds and New York Times attacks as examples. I explained that comprehensive assessments are crucial for understanding broader cybersecurity risks, not just those involving PII. Additionally, I highlighted the importance of protecting AI models from poisoning, underscoring the need for robust security measures in AI development.

10 Ways to Improve Your Math Skills for Cybersecurity

10 Ways to Improve Your Math Skills for Cybersecurity

As highlighted in our earlier discussion, The Intersection of Math and Cybersecurity, a solid grasp of mathematics is indispensable within the realm of cybersecurity. The specific demands…

The Intersection of Math and Cybersecurity - Does Cybersecurity Require Math?

The Intersection of Math and Cybersecurity

During my weekend exploration of a renowned Q&A platform, I unexpectedly encountered a question that left me intrigued. I couldn’t help but wonder if the original poster (OP) was playfully jesting or sincerely seeking knowledge. This curious moment brought forth a reminiscent smile as I recalled the age-old adage we all encountered during our early school years: “Math is fundamental to all endeavors.” However, an interesting twist emerged: Does this axiom extend its influence into the intricate realm of Cybersecurity?

Client Confidence Crisis: How Neglecting Security Practices Can Drive Customers Away

In today’s digital landscape, establishing an Information Systems Security Program (ISSP) is no longer optional but a crucial necessity for organizations. This blog post explores the vital importance of implementing an ISSP early on and understanding the factors that influence its establishment and modification. Senior management’s role in championing ISSPs is emphasized, as their buy-in and recognition of its significance set the tone for organizational security practices.

However, misconceptions and flawed reasoning often hinder the adoption of robust security measures. From the belief that “it will never happen to us” to relying solely on insurance coverage, these notions can prove detrimental to an organization’s security posture. Furthermore, assumptions that clients don’t care about security or that the cloud provides ultimate protection are debunked, shedding light on the evolving expectations and regulations surrounding data protection.

The ugly truth emerges as we delve into the constant threat of internet vulnerability scans and the risks organizations face when vulnerabilities are discovered. This post aims to dismantle these flawed mindsets, highlighting the need for a comprehensive security approach beyond insurance coverage and the importance of addressing vulnerabilities proactively.

Stay tuned for the upcoming parts of this conversation, where we will explore additional influential factors and provide insights into developing effective ISSPs. Together, let’s navigate the complex world of system security and ensure the protection of your organization’s invaluable assets.

Maximizing Email Security: Understanding the Importance of DKIM, SPF, and DMARC

Email is a crucial part of our daily lives, but unfortunately, it’s also a popular target for cybercriminals who use various tactics like spam, phishing, and spoofing to scam people. The FTC recently issued a warning to users of MetaMask and PayPal about phishing scams that are currently circulating through fake emails. The scam claims that the user’s cryptocurrency wallet has been blocked and encourages them to click a link and update their wallet to prevent the loss of their crypto. To protect email users from these threats, authentication protocols like DKIM, SPF, and DMARC are strongly recommended.

Top 10 Cybersecurity Job Sites

Top 10 Job Sites for Cybersecurity Professionals

As the world continues to rely heavily on technology, the demand for cybersecurity professionals continues to grow. Cybersecurity jobs offer high salaries, job security, and a wide range of career options. However, finding the right job can be challenging.