It’s been a year since a still unknown intruder hacked into the controls at the Oldsmar, Florida plant and tried to raise treatment chemical levels to toxic amounts. Fortunately, an alert employee noticed something strange happening and could thwart the situation. Although no harm was done, many, including us, hailed this as a “wake-up call” for the water industry. Has the sector woken up to the threat or has it hit the snooze button one year later?
The need to know
The Oldsmar incident certainly woke up the Federal government to the importance of knowing about breaches and related events as quickly as possible. The Oldsmar experience was one of the factors that drove this month’s announcement that the Biden–Harris administration will extend to the water sector the Industrial Control Systems (ICS) Cybersecurity Initiative. The new Water Sector Action Plan intends to spur deployment of technologies and systems that will improve cyber-threat visibility, indicators, detections, and warnings, targeting the following immediate objectives:
Within a week after the announcement of the hack, the CISA issued a set of recommendations that water plants could follow to prevent such attacks. These include lessons in cyber-hygiene, remote software configuration, and cyber-physical safety controls.
Follow cyber hygiene best practices
Regarding the Oldsmar attack itself, it is doubtful that the breach would have happened at all if the plant had been practicing good cyber hygiene practices such as the following:
Configure remote collaboration software for maximum security
The collaboration used in the attack is TeamViewer software, an independent product integrated with Microsoft Teams. TeamViewer provides the following guidelines for securing communications across its software:
Implement control on cyber-physical safety systems
Installing independent cyber-physical safety controls for critical systems could mitigate dangerous consequences. A PLC, for example, could be programmed to emulate the actions of the Oldsmar operator who identified strange behavior in the sodium hydroxide pub and shut it down. In addition to the chemical feed pump, other parameters that could be programmed to prevent or mitigate safety issues could affect the size of the chemical feed pump, gearing on valves, and pressure switches. Implementing such controls safely, however, requires a sophisticated, potentially costly safety instrumented system.
While the CISA recommendations mention automating mitigation, they stop short of recommending that core control technology itself be cyber secure. But if the PLCs running your shutdown sequences are accessed, they could be disabled, rendering them useless. In most of its other communications, CISA – and most other cyber protection agencies – stress the need for Zero Trust architectures in protecting critical industrial processes. If control systems are designed not to trust a signal just because it somehow managed to get onto the plant network, rogue intruders would not be able to access critical functions at all.
CISA and others who recognize the value of intrinsic OT cyber security seldom include it in recommendations often because they believe that implementation requires ripping and replacing the entire controls infrastructure all at once. But this is not necessarily the case. A Colorado utility solved that problem by migrating existing controls to an intrinsically secure platform in phases, keeping legacy equipment running through an intrinsically-secure proxy controller before eventually switching all legacy devices to a fully-secure system.
Whitepaper: Best Practices for Securing Industrial Control Systems.