One year ago, a hacker got on the Oldsmar, Florida water control network and tried to poison the water supply. They failed, but got much too close for comfort. What have we learned?

It’s been a year since a still unknown intruder hacked into the controls at the Oldsmar, Florida plant and tried to raise treatment chemical levels to toxic amounts. Fortunately, an alert employee noticed something strange happening and could thwart the situation. Although no harm was done, many, including us, hailed this as a “wake-up call” for the water industry. Has the sector woken up to the threat or has it hit the snooze button one year later?

The need to know

The Oldsmar incident certainly woke up the Federal government to the importance of knowing about breaches and related events as quickly as possible. The Oldsmar experience was one of the factors that drove this month’s announcement that the Biden–Harris administration will extend to the water sector the Industrial Control Systems (ICS) Cybersecurity Initiative. The new Water Sector Action Plan intends to spur deployment of technologies and systems that will improve cyber-threat visibility, indicators, detections, and warnings, targeting the following immediate objectives:

  • Assist owners and operators in real-time monitoring and alerting on anomalies and sharing relevant cybersecurity information with the government and other stakeholders
  • Operate a pilot program for ICS monitoring and information-sharing technology that will specifically benefit the water sector
  • Initially, focus on the utilities that serve the largest populations and have the highest consequence systems and lay a foundation for enhancing ICS cybersecurity across water systems of all sizes.

Within a week after the announcement of the hack, the CISA issued a set of recommendations that water plants could follow to prevent such attacks. These include lessons in cyber-hygiene, remote software configuration, and cyber-physical safety controls.

Follow cyber hygiene best practices

Regarding the Oldsmar attack itself, it is doubtful that the breach would have happened at all if the plant had been practicing good cyber hygiene practices such as the following:

  • Update to the latest version of the operating system (e.g., Windows 10). The compromised Oldsmar computer was running the no-longer supported Windows 7 and was not even in use by anyone, so it would not have even known about any updates that might have been available.
  • Use multi-factor authentication.
  • Use strong passwords to protect Remote Desktop Protocol (RDP) credentials.
  • Ensure anti-virus, spam filters, and firewalls are up to date, properly configured, and secure.
  • Audit network configurations and isolate computer systems that cannot be updated.
  • Audit your network for systems using RDP; close unused RDP ports; apply multiple-factor authentication wherever possible; record RDP login attempts.
  • Audit logs for all remote connection protocols.
  • Train users to identify and report attempts at social engineering.
  • Identify and suspend access of users exhibiting unusual activity.

Configure remote collaboration software for maximum security

The collaboration used in the attack is TeamViewer software, an independent product integrated with Microsoft Teams. TeamViewer provides the following guidelines for securing communications across its software:

  • Do not use unattended access features, such as “Start TeamViewer with Windows” and “Grant easy access.”
  • Configure TeamViewer service to “manual start” so that the application and associated background services stop when not in use.
  • Set random passwords to generate 10-character alphanumeric passwords.
  • If using personal passwords, utilize complex rotating passwords of varying lengths. Note: TeamViewer allows users to change connection passwords for each new session. If an end-user chooses this option, never save connection passwords as an option.
  • When configuring access control for a host, utilize custom settings to tier the access a remote party may attempt to acquire.
  • Require a remote party to receive confirmation from the host to gain any access other than “view only.” Doing so will ensure that if an unauthorized party connects via TeamViewer, they will only see a locked screen and not have keyboard control.
  • Utilize the ‘Block and Allow’ list, enabling a user to control which other organizational users of TeamViewer may request access to the system. This list can also block users suspected of unauthorized access.

TeamViewer is only one of many collaboration software packages used by water plants. At ToolBox.com Jayant Chakravarti discusses cyber security issues for other popular collaboration software.

Implement control on cyber-physical safety systems

Installing independent cyber-physical safety controls for critical systems could mitigate dangerous consequences. A PLC, for example, could be programmed to emulate the actions of the Oldsmar operator who identified strange behavior in the sodium hydroxide pub and shut it down. In addition to the chemical feed pump, other parameters that could be programmed to prevent or mitigate safety issues could affect the size of the chemical feed pump, gearing on valves, and pressure switches. Implementing such controls safely, however, requires a sophisticated, potentially costly safety instrumented system.

Lessons missed?

While the CISA recommendations mention automating mitigation, they stop short of recommending that core control technology itself be cyber secure. But if the PLCs running your shutdown sequences are accessed, they could be disabled, rendering them useless. In most of its other communications, CISA  – and most other cyber protection agencies – stress the need for Zero Trust architectures in protecting critical industrial processes. If control systems are designed not to trust a signal just because it somehow managed to get onto the plant network, rogue intruders would not be able to access critical functions at all.

CISA and others who recognize the value of intrinsic OT cyber security seldom include it in recommendations often because they believe that implementation requires ripping and replacing the entire controls infrastructure all at once. But this is not necessarily the case. A Colorado utility solved that problem by migrating existing controls to an intrinsically secure platform in phases, keeping legacy equipment running through an intrinsically-secure proxy controller before eventually switching all legacy devices to a fully-secure system.

Read next:
Whitepaper: Best Practices for Securing Industrial Control Systems.
Download Now



Learn more with this free whitepaper: Best Practices for Securing Industrial Control Systems