Lye Detector: Hacker Caught Poisoning Oldsmar Water Supply
By Josh Lospinoso
Around 8 AM on Friday of last week, a cyberattacker attempted to sabotage a water treatment facility in Oldsmar, FL by instructing the control systems to inject over a hundred times the normal dose of lye. According to city officials, the attacker accessed an instance of TeamViewer, a remote access tool commonly used by industrial operators for troubleshooting and oversight.
Thankfully, a plant operator noticed that someone was remotely operating his computer, clicking through the water treatment plant’s controls and changing settings. He spotted the intrusion, remediated the dangerous settings, and alerted safety personnel of the problem.
While we are still waiting for corroboration by external security auditors, it appears that the attacker accessed TeamViewer from the internet.
This kind of attack isn’t new. Thousands of industrial systems with human-machine interfaces and remote access tools are accessible from the internet.
Using a tool like Shodan, it’s possible to search for these systems with relative ease. Thanks to the multi-tiered safeguards in most industrial control systems, it’s relatively rare that this meddling results in physical effects.
Tools like TeamViewer can improve team productivity. Especially in the age of COVID-19, technology like remote access tools can form a critical part of balancing employee safety and operational needs. We’re seeing the adoption of more remote access technologies across the information technology and operational technology spectrum. Unfortunately, they also open large attack surfaces for cyber criminals.
The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) published a guide on risk management while coping with COVID-19, which included actions for infrastructure protection and strengthening remote access security control measures. Crucially, CISA recommends continuous system monitoring to receive early detection and alerts on abnormal activity.
Most operational technology platforms we’ve come across have no continuous cybersecurity monitoring systems in place.
Operators don’t have any way of telling if cyber intrusions are putting their equipment at risk until it’s too late. Further, they’re at a severe disadvantage once they’ve detected the intrusion, since they don’t have full-take data capture to augment incident response.
Due to the vigilance of the on-duty Oldsmar operator and the multi-tiered control measures at the plant, no one was seriously injured last week. But there’s a wide variance in adoption of security control measures among operational technology like fleet assets. If an attacker penetrates a locomotive or aircraft fleet, we may not find out until it’s too late.
The lesson here for fleet owners is clear: until you’ve put robust security controls like continuous monitoring in place, don’t connect them to the internet. (And don’t connect them to things that connect to the internet.)
Shift5 is a transportation data company based in Arlington, VA. Shift5 customers run smarter, safer, and more efficiently by unlocking their fleet’s data. Their data-driven solutions integrate directly onto existing platforms, collecting and enriching data from all their electronic components. Shift5 customers employ this data to improve cybersecurity, safety, and resilience as well as automate menial tasks, improve reliability, and make smarter business decisions.