What we know about this incident has been widely published and shared across countless mediums - including a WaterISAC advisory to members yesterday - so we will not belabor posting every source. As conveyed by authorities investigating the incident, we know that access was obtained remotely reportedly via TeamViewer and a change was made to the sodium hydroxide level in the water treatment process – and please pardon the “A Few Good Men” reference, “these are the facts of the case and they are undisputed.” But what still has not been disclosed (at the time of this writing) is a geographic location and/or IP address from which the access was purportedly made, the intent/goal of the access, and the sophistication (if any) of the actor in question (which also pairs with the intent/goal).
Multiple facets about this incident seem to point to a lack of sophistication on the part of the “actor.” The incident seems to be more opportunistic than sophisticated. It is largely believed that a sophisticated attack would have resulted in a loss of view, loss of control, and likely a loss of availability to the impacted system, not a seeming hit-and-run. However, given that multiple HMI’s are widely documented on the internet, it is possible the actor had enough skill to look up the system used at Oldsmar discovered during the first intrusion (at 8:00 AM) to find out where/how to change the key value effected during the second connection (at 1:30 PM).
Furthermore, let us not be remiss in at least considering this could have been an authorized connection with an intentional change to an unintentional value. Is it out of the realm of possibility that a level from “100” to “110” or “111” is a plausible change and the trailing zeros were erroneously not deleted, thus giving the impression of an “attack.” Is it reasonable to consider what happened at Oldsmar was a human error similar to the sewage spill in Valdosta, GA in December 2019?
Either way, the uncontested concern in regard to this event is the need for greater security on remote access to our critical infrastructure, including water and wastewater utilities. And while it is preferable to not allow remote access to these systems at all, that is very rarely a practical decision in this day and age. However, doing so in anything other than a secure and highly controlled manner is also not a practical decision in this day and age. Our friends at Dragos have posted some key recommendations for identifying insecure and subsequently securing remote access in the OT/ICS environment.
This is not a wake-up call, as some are stating. Hopefully this incident will move the needle forward on the battle cry that the ICS cybersecurity community has been chanting for many years. At the very least, this incident demonstrates that it can/does happen in the U.S. just as it was said after the Israeli Water infrastructure attacks in 2020. Applying lessons learned from others’ incidents is a powerful defense, and it doesn’t necessarily take $1,000,000 to secure systems. Oftentimes it only takes addressing basic cybersecurity guidance, and much of that guidance is available at no cost (save someone with cybersecurity knowledge who knows where to find and apply that guidance). Much of that guidance is curated and provided through WaterISAC to help resource constrained utilities – including our 15 Cybersecurity Fundamentals for Water and Wastewater Utilities and AWWA's Cybersecurity Guidance and Tool.