Today officials in Florida announced that late last week an unknown malicious actor infiltrated a water treatment plant in the city of Oldsmar and made changes to chemical levels in the treatment process. Fortunately this activity was quickly observed by a plant operator and reversed. Officials indicated that the public was never in danger due to the operator's quick action as well as to other measures that would have prevented the release of the water into the distribution system.
Access the press conference recording and a related local news article.
Speaking about the incident during a press conference earlier today, the Pinellas County Sheriff noted that a plant operator observed two intrusions last Friday that were hours apart. In the second intrusion, which lasted about five minutes, the operator saw the mouse moving around as the malicious actor accessed various functions. One of these functions controls the amount of sodium hydroxide in the water, which the malicious actor changed from about 100 parts per million to 11,100 parts per million. The operator observed this change and immediately reversed it. The Sheriff also emphasized it would have taken between 24 and 36 hours for the water to reach the distribution system and that there are redundancies in place to check water quality before release.
Law enforcement authorities are still investigating the incident. They indicated they currently do not know whether the compromise originated from the U.S. or abroad.
While unfortunate, this incident should come as no surprise. The ICS cybersecurity community has been warning of such incidents for years. WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities includes a reference example of an attempted chemical addition in a what could happen scenario: “Blended attacks with long-lasting impacts can be mitigated by physically preventing access to process equipment and by installing independent cyber-physical safety systems. These systems should prevent conditions such as excessive levels of pressure, chemical additions, vibrations or temperature change from occurring due to malicious acts against a compromised control system.” And while there are other incidents, we do not have to go very far in history for several real world examples with multiple similar attacks on the Israeli water infrastructure in 2020 (reported in several Security & Resilience Updates).
As more is learned about this incident, WaterISAC will share information with its members and partners to help inform their security measures. In the meantime, WaterISAC strongly recommends members review and implement the mitigation measures bellow to protect themselves from similar activity:
Recommended Mitigations:
- Identify internet accessible OT devices on your network through an internet search (such as Shodan, Censys, Google, etc.) before the bad guys do
- Implement network segmentation
- If remote access is absolutely necessary, use a securely configured VPN
- Filter traffic with methods such as whitelisting or geo-blocking to prevent access from unauthorized persons or places
- Encrypt traffic
- Use non-trivial authentication methods
- Enforce strong passwords
- Configure access for user accounts with the absolute least privilege to accomplish the task
WaterISAC also urges members to report incidents and suspicious activities, first to local and other law enforcement authorities and then to WaterISAC by emailing analyst@waterisac.org, calling 866-H20-ISAC, or using the online incident reporting form.
