Main Image Credit Water treatment plant. Courtesy of Kalyakan
An attempted cyber attack against a water treatment plant in Florida highlights endemic failures in the cyber security of the US water sector.
On 5 February, an unidentified attacker accessed the systems at a US water treatment plant in Oldsmar, Florida, and briefly altered the chemical levels in the drinking water.
While full details are still emerging, initial reporting suggests that the perpetrator gained remote access to the plant’s systems through a weakly protected software application called TeamViewer, a tool used by a large number of organisations to manage remote access to IT systems. In this case, the plant had actually stopped using TeamViewer six months ago, but left it installed. After remotely accessing the plant’s systems, the attacker was able to manipulate a control panel and significantly increase the levels of sodium hydroxide – also known as lye or caustic soda, an industrial cleaning agent – that were being distributed into the water supply. Luckily, a plant operator observed the attacker remotely access his computer – including the mouse moving on the screen and making changes – and was able to reverse the commands. It is also possible that other safeguards would have alerted staff or may have prevented chemical changes from reaching dangerous levels.
Alarming as this incident is, it is not the first of its kind. While the use of Stuxnet – a malicious computer worm – or Russia’s attacks against Ukraine’s electrical grid in 2015 and 2016 have grabbed the most public attention, disruptive cyber operations against water treatment or waste plants have occurred, largely away from public gaze, for over two decades.
In 2000, a disgruntled contractor in Queensland, Australia, used radio commands to control systems at a waste plant and cause 800,000 litres of raw sewage to spill into parks and rivers, killing marine life. In 2016, a hacktivist group gained access to supervisory control and data acquisition (SCADA) systems at an unnamed US water utility and manipulated the flow of chemicals twice – fortunately, without effect.
Iran has also been linked to several operations against water systems. An Iranian group attempted to gain remote access to SCADA systems at a small dam in New York in 2013. In spring and summer 2020, Israeli officials claimed an Iranian campaign was attempting to disrupt water treatment plants and agricultural irrigation systems. Like the latest incident in Oldsmar, the attacks against Israeli targets also used poorly secured remote access software to gain access to industrial control systems (ICS).
For now, the Oldsmar incident remains unattributed. Due to the basic nature of the tactics employed, responsibility could lie with anyone ranging from a malicious insider with knowledge of the plant’s TeamViewer software, a ‘script kiddy’ scanning for internet-facing TeamViewer instances on Shodan (a search engine for internet-connected devices), or even a state actor. However, as the ICS security analyst Joe Slowik has noted, a lack of precision and the apparent failure of the perpetrator to remove the plant operator’s visibility or control suggest that it was an opportunistic and unskilled actor, not a state.
Although the Oldsmar incident may reignite the ‘act of war’ debate that erupted in the aftermath of the SolarWinds breach, it is the apparent ease with which the attack was carried out that should be the focus of the Biden administration’s cyber security policymakers. While it is perhaps inevitable that state actors with enough time and resources will be able to disrupt critical national infrastructure (CNI), the inability to prevent more basic attacks from insiders, ransomware groups and hacktivists act as a warning that this will be a persistent threat. And if operators are in some cases unaware of the need to implement even the most straightforward cyber risk management practices – such as limiting access from a notoriously insecure remote access tool – then it is up to policymakers and regulators to address failures in the sector.
A Huge Task
There are endemic problems in the US water sector that prevent a ‘quick fix’ for such incidents. First, the sheer scale of the US water sector. The US Cybersecurity and Infrastructure Security Agency estimates that there are 153,000 public drinking water systems and 16,000 publicly owned wastewater treatment systems, serving approximately 80% of the population with drinking water. Identifying the delineation of responsibilities or even accomplishing clear stakeholder mapping represents a serious problem. With such a vast landscape and small IT budgets, cyber risk management is inevitably stretched, requiring clear and well-defined guidance for operators.
Currently available policy and guidance in the US appears sparse. The Water and Wastewater Systems Sector-Specific Plan – 2015 ranks ‘cyber events’ as a ‘most significant risk’. It outlines some short-term objectives to be achieved within the two years following its publication in 2015. Unfortunately, the plan does not outline any long-term objectives, which could include supply chain and third-party risk management. Considering TeamViewer was the vector for the latest intrusion, a renewed emphasis should be placed on supply chain and third-party risk, particularly if such a tool is connected to the operational technology layer of the network.
Nonetheless, guidance is not synonymous with implementation. In the energy sector, the US implemented regulation to increase levels of cyber security and the water sector could equally benefit from a stricter set of minimum standards. However, some claim that energy sector regulation had led to a ‘security by compliance’ culture, allegedly stifling potential innovation in this field.
One of the challenges of implementing regulation is their resource-intensive nature. A shortage of qualified personnel at such establishments is a key issue, as usually there are only one or two people working in IT at each water plant. Any implementation of new, tighter regulation would therefore require a significant increase in spending on cyber security. Yet that is not to say new regulation is either unwelcome or always prohibitively expensive. Even basic minimum standards that require operators to decommission or remove technology when it is no longer used would have prevented the incident at Oldsmar.
Fluid and Flexible
Intelligent regulation would need to keep up with the times too. The coronavirus pandemic may have increased remote working in the water sector according to a Bluefield Research paper. To operate, the US water sector still needs over 1 million people on-site, but with managers, supervisors, engineers, architects, and select asset operators all working either fully or partially from different locations, remote access remains vital for the resiliency of the system. Bluefield claimed that remote monitoring and digital asset management is already widespread across the water sector, so the pandemic did not require a huge acquisition or adoption of new technology: ‘79% of US community water systems have SCADA systems fully implemented, while just 21% have network optimisation solutions in place that facilitate remote management’. While the research supports the use of remote management to maintain the operation of plants, a renewed emphasis on cyber security is required.
Either way, the adoption of future technology will accelerate due to the pandemic, and any regulation needs to bear this technological change in mind. However, the fact remains that the water sector needs greater resources, guidance and education to manage its cyber risks. Despite the fact that in this case the attack did not succeed, new regulation and thinking is crucial as the water sector continues to dive headfirst into digitalisation and the integration of its information and operational technology systems.
Internationally, this case will generate dialogue around the appropriate standards and regulation for CNI, illustrating that the cyber resilience of CNI is only as strong as the weakest part. In the UK, work has been done in the telecommunications sector to provide guidance to operators, but other sectors require the same treatment.
The views expressed in this Commentary are the author's, and do not represent those of RUSI or any other institution.