(Likely) First Cyberintrusion Into An American Water Treatment System
Yesterday, the city of Oldsmar, Florida conducted a press conference to disclose that an unknown person had remotely accessed the city’s water treatment system. The public was never in danger, since operators detected the breach quickly and reversed the changes made by the threat within moments. The change made to the system was “loud” — the level of lye was increased 100x — and if the human operator were not watching the screen in real time, pH-level sensors would have detected the change shortly thereafter. It is my suspicion that this breach was not the work of a foreign government but by an individual who lacked the understanding of how water treatment facilities work and how the changes could have caused harm to the public. The local authorities are already working with the FBI and other federal partners, and we should learn more details soon, especially if there is an indictment.
We now know that the threat actor gained remote access via TeamViewer to the systems used to regulate the level of chemicals used to make groundwater safe for usage. The pandemic has increased cyber risks for many critical infrastructure asset owners due to operational technology (OT) staffs having to work remote, rather than inside control rooms behind numerous physical security controls inside the plants and industrial facilities. The utility had already upgraded from TeamViewer to another remote access solution but had not deprovisioned TeamViewer and removed it from the network. We also do not know if those remote access credentials were default or stolen. Forrester clients often inquire about managing the risks of providing secure remote access for their OT networks to original equipment manufacturers and consultants to help maintain these systems. Providing remote access to critical systems has always been a challenge, and the pandemic only compounded the issues. Additionally, the unused TeamViewer system is another reminder about the importance of maintaining a high-fidelity asset inventory and removing hardware and software no longer in use.
This is not the first reported cyberintrusion into a municipal water system. Israel reported Iranian state-sponsored hackers had breached water systems in Israel in early 2020. Additionally, in the first publicly known industrial control system (ICS) insider attack, a disgruntled former employee remotely accessed the ICS for the Maroochy Shire wastewater treatment plant in Eastern Australia and released 264K gallons of raw sewage into local parks, rivers, and residential areas. And while authorities reported no manipulation of any control systems, Iranian-linked threat actors claimed to have accessed and viewed files at a New York dam in 2013.
While yesterday’s attack appears to be of lower technical sophistication than these attacks, it is still deeply concerning. Had there not been engineering safeguards, there could have been an impact on the health of the system’s customers. It is also unlikely Oldsmar’s water utility is the exception and not the rule in American water treatment systems. Local governments and their utilities are often budget-strapped, with limited funds for extensive cyberdefenses. The WaterISAC has published 15 cybersecurity fundamentals for water and wastewater utilities and many are low-cost, such as planning for an incident and creating a cybersecurity culture.
The America’s Water Infrastructure Act (AWIA) was signed in 2018 to improve the quality and safety of community water systems around the country. As a smaller utility, the water system breached yesterday does not have to comply with the AWIA’s risk assessment deadline until June 30, 2021 or with the emergency response plan until December 30, 2021. For the benefit of all other water utilities, Oldsmar should publish a detailed post-incident report and lessons learned despite not currently having to comply with the AWIA.
As authorities investigate, there are several important questions still to be answered:
- Was the intruder acting alone or under the direction of a foreign government?
- Was this the first cyberattack on a community water system in the United States?
- How susceptible are other water treatment systems to weak or obsolete remote access solutions?