US Water Plant Suffers Cyber Attack Through the Front Door
An attempted cyber attack against a water treatment plant in Florida highlights endemic failures in the cyber security of the US water sector.
On 5 February, an unidentified attacker accessed the systems at a US water treatment plant in Oldsmar, Florida, and briefly altered the chemical levels in the drinking water.
While full details are still emerging, initial reporting suggests that the perpetrator gained remote access to the plant’s systems through a weakly protected software application called TeamViewer, a tool used by a large number of organisations to manage remote access to IT systems. In this case, the plant had actually stopped using TeamViewer six months ago, but left it installed. After remotely accessing the plant’s systems, the attacker was able to manipulate a control panel and significantly increase the levels of sodium hydroxide – also known as lye or caustic soda, an industrial cleaning agent – that were being distributed into the water supply. Luckily, a plant operator observed the attacker remotely access his computer – including the mouse moving on the screen and making changes – and was able to reverse the commands. It is also possible that other safeguards would have alerted staff or may have prevented chemical changes from reaching dangerous levels.
Alarming as this incident is, it is not the first of its kind. While the use of Stuxnet – a malicious computer worm – or Russia’s attacks against Ukraine’s electrical grid in 2015 and 2016 have grabbed the most public attention, disruptive cyber operations against water treatment or waste plants have occurred, largely away from public gaze, for over two decades.
In 2000, a disgruntled contractor in Queensland, Australia, used radio commands to control systems at a waste plant and cause 800,000 litres of raw sewage to spill into parks and rivers, killing marine life. In 2016, a hacktivist group gained access to supervisory control and data acquisition (SCADA) systems at an unnamed US water utility and manipulated the flow of chemicals twice – fortunately, without effect.
Iran has also been linked to several operations against water systems. An Iranian group attempted to gain remote access to SCADA systems at a small dam in New York in 2013. In spring and summer 2020, Israeli officials claimed an Iranian campaign was attempting to disrupt water treatment plants and agricultural irrigation systems. Like the latest incident in Oldsmar, the attacks against Israeli targets also used poorly secured remote access software to gain access to industrial control systems (ICS).
For now, the Oldsmar incident remains unattributed. Due to the basic nature of the tactics employed, responsibility could lie with anyone ranging from a malicious insider with knowledge of the plant’s TeamViewer software, a ‘script kiddy’ scanning for internet-facing TeamViewer instances on Shodan (a search engine for internet-connected devices), or even a state actor. However, as the ICS security analyst Joe Slowik has noted, a lack of precision and the apparent failure of the perpetrator to remove the plant operator’s visibility or control suggest that it was an opportunistic and unskilled actor, not a state.
Although the Oldsmar incident may reignite the ‘act of war’ debate that erupted in the aftermath of the SolarWinds breach, it is the apparent ease with which the attack was carried out that should be the focus of the Biden administration’s cyber security policymakers. While it is perhaps inevitable that state actors with enough time and resources will be able to disrupt critical national infrastructure (CNI), the inability to prevent more basic attacks from insiders, ransomware groups and hacktivists act as a warning that this will be a persistent threat. And if operators are in some cases unaware of the need to implement even the most straightforward cyber risk management practices – such as limiting access from a notoriously insecure remote access tool – then it is up to policymakers and regulators to address failures in the sector.
A Huge Task
There are endemic problems in the US water sector that prevent a ‘quick fix’ for such incidents. First, the sheer scale of the US water sector. The US Cybersecurity and Infrastructure Security Agency estimates that there are 153,000 public drinking water systems and 16,000 publicly owned wastewater treatment systems, serving approximately 80% of the population with drinking water. Identifying the delineation of responsibilities or even accomplishing clear stakeholder mapping represents a serious problem. With such a vast landscape and small IT budgets, cyber risk management is inevitably stretched, requiring clear and well-defined guidance for operators.
Currently available policy and guidance in the US appears sparse. The Water and Wastewater Systems Sector-Specific Plan – 2015 ranks ‘cyber events’ as a ‘most significant risk’. It outlines some short-term objectives to be achieved within the two years following its publication in 2015. Unfortunately, the plan does not outline any long-term objectives, which could include supply chain and third-party risk management. Considering TeamViewer was the vector for the latest intrusion, a renewed emphasis should be placed on supply chain and third-party risk, particularly if such a tool is connected to the operational technology layer of the network.
Nonetheless, guidance is not synonymous with implementation. In the energy sector, the US implemented regulation to increase levels of cyber security and the water sector could equally benefit from a stricter set of minimum standards. However, some claim that energy sector regulation had led to a ‘security by compliance’ culture, allegedly stifling potential innovation in this field.
One of the challenges of implementing regulation is their resource-intensive nature. A shortage of qualified personnel at such establishments is a key issue, as usually there are only one or two people working in IT at each water plant. Any implementation of new, tighter regulation would therefore require a significant increase in spending on cyber security. Yet that is not to say new regulation is either unwelcome or always prohibitively expensive. Even basic minimum standards that require operators to decommission or remove technology when it is no longer used would have prevented the incident at Oldsmar.
Fluid And Flexible
Intelligent regulation would need to keep up with the times too. The coronavirus pandemic may have increased remote working in the water sector according to a Bluefield Research paper. To operate, the US water sector still needs over 1 million people on-site, but with managers, supervisors, engineers, architects, and select asset operators all working either fully or partially from different locations, remote access remains vital for the resiliency of the system. Bluefield claimed that remote monitoring and digital asset management is already widespread across the water sector, so the pandemic did not require a huge acquisition or adoption of new technology: ‘79% of US community water systems have SCADA systems fully implemented, while just 21% have network optimisation solutions in place that facilitate remote management’. While the research supports the use of remote management to maintain the operation of plants, a renewed emphasis on cyber security is required.
Either way, the adoption of future technology will accelerate due to the pandemic, and any regulation needs to bear this technological change in mind. However, the fact remains that the water sector needs greater resources, guidance and education to manage its cyber risks. Despite the fact that in this case the attack did not succeed, new regulation and thinking is crucial as the water sector continues to dive headfirst into digitalisation and the integration of its information and operational technology systems.
Internationally, this case will generate dialogue around the appropriate standards and regulation for CNI, illustrating that the cyber resilience of CNI is only as strong as the weakest part. In the UK, work has been done in the telecommunications sector to provide guidance to operators, but other sectors require the same treatment.
The views expressed in this Commentary are the author's, and do not represent those of RUSI or any other institution.
Latest News from
UK PONI Nuclear Café04/03/2021 16:25:00
The Nuclear Café is a space to connect with the PONI community at the end of the week in an off-the-record conversation. The Café focuses on building a tightly-knit community of emerging voices that have the potential to influence the nuclear field. Whether you are an early-career professional or a student, join us and help build this community from the ground up.
Dependent Deterrent? US Support for the UK’s New Nuclear Warhead04/03/2021 11:25:00
New revelations about the links between the UK and US nuclear programmes raise as many questions as they provide answers.
The Budding Alliance Between Lockdown Critics and the Far-Right in Germany03/03/2021 14:25:00
Far-right movements are joining hands with coronavirus-deniers and lockdown critics. This is an ominous trend, but it is unlikely to have any serious impact on the upcoming elections.
FCAS: Is the Franco-German-Spanish Combat Air Programme Really in Trouble?02/03/2021 14:25:00
A new European combat aircraft is still likely to emerge from a programme plagued by mismatched national positions, priorities and industrial responsibilities.
Iran in the South Caucasus: Adjustment and Evolution01/03/2021 14:25:00
Iran’s position in the South Caucasus, a region it sees as a part of its historical interests, is coming under tremendous pressure.
The Politics of UK Accession to Pacific Free Trade Club26/02/2021 14:25:00
While political and strategic considerations may push the UK to prioritise speed over substance when it comes to accession negotiations, this strategy may well pay off if joining the Comprehensive and Progressive Agreement for Trans-Pacific Partnership is seen as a starting point for greater commercial diplomacy in the Asia-Pacific.
Failure to Lift Off: The UK’s Space Launch Ambitions25/02/2021 14:25:00
Creating an indigenous space launch capability is considered by many to be a key aspect of the UK’s space ambitions. Yet there are questions as to whether current plans recognise the challenges ahead.
On the Quest to Revive the Iran Nuclear Deal24/02/2021 14:25:00
As US officials engineer the reinstatement of the 2015 nuclear deal, they should pay particular attention to Iran’s expectations of this process.