A cyberattack on the water treatment system in Oldsmar, Florida, as reported on Feb. 8 is shocking — but not necessarily surprising. Critical infrastructure, especially in small municipalities, has long been an anticipated target of bad actors.
The severity and frequency of cybersecurity attacks in critical infrastructure sectors are increasing. Cybercriminals, terrorists and nation-states are growing more sophisticated in executing these attacks. Cyberthreats are moving beyond information technology and are now directly targeting critical plant operations, supervisory control and data acquisition (SCADA) systems, industrial control systems (ICS) and even safety instrumentation systems.
The Oldsmar Attack
The Oldsmar attack, though ultimately unsuccessful, exposed critical vulnerabilities. Pinellas County officials say a bad actor gained unauthorized remote access to the city’s computer systems at the water treatment plant and attempted to increase the percentage of sodium hydroxide to 100 times its normal levels.
This chemical, commonly known as lye, is often used at municipal water treatment plants to control acidity and remove heavy metals from the water. But at a higher concentration, it can lead to serious health issues.
At the Oldsmar plant, a plant operator immediately caught the intrusion and retuned the level of sodium hydroxide back to normal — and the system was also designed with redundant mechanisms to check the water before releasing it to the public. But unauthorized access to a critical infrastructure system is a major vulnerability that should be addressed to prevent harm.
Mitigating the Risks
These risks cannot be prevented by an air gap or other common defenses. As companies continue to invest in digitalization and modernize operational technology (OT) systems and overall plant operations, cybersecurity risks will continue to grow.
At the same time, poorly calibrated products and a cybersecurity talent shortage are taking a toll on operations. Many asset owners are forced to do more with less and have opted to procure and deploy cybersecurity products purporting to make things easy for operators. The reality is that many of these products have multiple roles and ultimately make things worse by generating hundreds or even thousands of alerts, leading to “alert fatigue” for operators.
A plan is required for the eventuality that cyber incidents will occur within your OT environment. While preventing a cybersecurity incident is an admirable goal, the reality is that it is nearly impossible to protect against every threat to the operating environment. Organizations must defend against a multitude of potential threats, while cyber actors only need to find one way inside. This calls for effective defense strategies, as well as robust threat monitoring, detection and response capabilities.
Defense Strategies to Protect Against Similar Attacks
Implementing strong defense principles can secure a utility’s computer systems against unauthorized remote access:
- User authentication is crucial, with a comprehensive strategy that may include a combination of techniques such multifactor, biometric and certificate-based authentication.
- In the principle of least privilege, a user is given the minimum necessary access to perform a particular task during a specific time frame. Applications with unrestricted privileges, however, allow hackers to move around a network and cause as much damage as possible.
- Network segmentation is key to withstanding the impact of a cyberattack by reducing the potential attack surface for a bad actor, which concurrently increases the security of a network.
Improved Detection Enhances Resolutions
An organization’s risk management capability will be driven by these key determining factors:
- The organization’s ability to detect activities — and, assuming the organization has detected an issue,
- The organization’s ability to respond and/or recover from the event, activity or incident.
The de facto industry key performance indicators used to capture these two metrics are:
- Mean time to detection (MTTD) and
- Mean time to resolution (MTTR).
Threat detection specialists can be resources who combine a trained eye with deep understanding of threat intelligence. By enhancing an organization’s MTTD, the attack window can be limited or shortened. This delivers a greater chance of a successful resolution, response or recovery. An improved MTTD leads to a better MTTR.
Implementing effective defense strategies, robust detection and response capabilities, and a pragmatic incident response plan is key to improving overall preparedness and organizational resilience. While cyberattacks like the one in Florida are nearly impossible to protect against, these measures can help mitigate the potential damage.