The world's most capable, rugged and secure
industrial control system...
Introducing Bedrock OSA® Remote
- Intrinsically-secure PLC and RTU control
- 10 or 20 channels of universal I/O
- Free IEC 61131-3 engineering software
- -40ºC to +80ºC temperature range
- Rugged, all-metal case 5.4 in x 8.9 in x 2.3 in
Water Industry Gets a Cyber Wakeup Call
February 23, 2021 | Robert Bergman
The Florida water plant that was the subject of a cyber-attack last week may have dodged a bullet, but it highlights the vulnerability of the nation’s water supplies and the need for better security measures. Although an investigation into the attack is ongoing, it appears that whoever hacked into a water plant in Oldsmar, Florida was an unsophisticated actor accessing a poorly secured system.
“A supervisor monitoring a plant console about 1:30 p.m. saw a cursor move across the screen and change settings … and was able to immediately reverse it. The intruder was in and out in five minutes,” said Pinellas County Sheriff Bob Gualtieri, who dubbed the incident a wake-up call.
The hacker used a remote access software to try to increase the amount of sodium hydroxide – lye – added to the system by a factor of 100, something which cybersecurity experts interviewed by Krebsonsecurity.com say is not possible for the control system.
“The system isn’t capable of going up by a factor of 100 because there are certain physics problems involved there. Also, the changes they tried to make wouldn’t happen instantaneously. The operators would have had plenty of time to do something about it,” said, Joe Weiss, managing partner at Applied Control Solutions, a consultancy for the control systems industry and one of the experts Krebs interviewed.
While the recent Florida incident was caught before becoming dangerous, it highlights a potential threat that has been of growing concern in the industry and among regulators. Krebs’ interviews revealed that many of the approximately 54,000 distinct drinking water systems in the United States have the following characteristics:
- Virtually all rely on some type of remote access to monitor and/or administer their facilities.
- Many are unattended, underfunded and aging.
- Many have not separated operational technology from safety systems that might detect and alert on intrusions or potentially dangerous changes.
“A decent portion of small water utilities depend on their community or town’s IT person to help them out with stuff. When you’re running a water utility, there are so many things to take care of to keep it all running that there isn’t really enough time to improve what you have. That can spill over into the remote access side, and they may not have an IT person who can look at whether there’s a better way to do things, such as securing remote access and setting up things like two-factor authentication,” said Andrew Hildick-Smith, another of Krebs’ interviewees.
In an effort to address the issue, the America’s Water Infrastructure Act of 2018 requires all water utilities serving more than 3300 people to have a risk and resiliency plan on file by June 30 of 2021.
Prevention and mitigation
As more details about the Florida attack come to light, more will be said about the importance of software supervision, password management, patch updates, and other best practices that could or should have been taken to prevent a breach, such as experienced at Oldsmar. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has already issued a set of recommendations for preventing attacks of this type. These include general recommendations for cyber hygiene, such as updating to latest software versions and access control and recommendations regarding the use of remote-control software.
CISA also recommends specific mitigation measures for the water/ waste software, such as systems that physically prevent dangerous conditions from occurring, if for example, cyber actors gain control of a sodium hydroxide pump, they wouldn’t be able to raise the pH to dangerous levels.
“… it helps to make the automation and the process more resilient. Even more important, the automation should actively refuse certain toxic moves. Yes, CISA was recommending that all Automation be made safer. This is the long overdue convergence of safety and security with automation. We shouldn’t just be using these practices in Safety systems, we should borrow from these concepts and apply them, where practical,” said control industry consulting Jake Brodsky commenting on the CISA recommendation in the SCADASEC forum.
Reducing the costs of water operations
Regardless of what the Florida investigation reveals, we would stress that the best cyber security comes when all end devices are hardened and protected, ideally, in a zero-trust architecture implemented and enforced. Traditional cyber security solutions focus primarily on the network access end of the automation system, which is certainly important, but the Bedrock solution uniquely hardens the control system as well, so that no unauthorized or unauthenticated entity is permitted, ever, to communicate with and alter the controls.
Sustainably providing safe potable water to the public increasingly requires remote operations management – especially true during the current pandemic. Only if the public interface (IT) and control network (OT) are safeguarded properly can open technologies that enable remote monitoring and control safely help prevent cyber-attacks that may result in danger to the public and significant expense for taxpayers and water utilities.
To understand an example of an architecture that secures remote operations at no incremental cost above the basic hardware, download the latest OSA white paper: Open Secure Remote Operations: A Vision Fulfilled.