Florida’s Water Poisoned by Hackers: A Warning Signal

We shouldn’t be surprised by the attack on a Florida water system earlier this week. We should, however, consider it a warning signal. Because while the perpetrators were detected and removed from the network, it was only after they had remotely adjusted the level of sodium hydroxide in the water to dangerously concentrated amounts - more than 100 times the normal levels. Fortunately, the Oldsmar Florida water supply remained unaffected thanks to a resourceful operator who noticed the sudden change in the chemical levels and quickly responded. Yet the fact that attackers were even able to get into such mission-critical systems, let alone manipulate them, is worrying. 

Unfortunately, this is not the first, and probably not the last attack on critical infrastructure. Attacks across all sectors are growing bolder, more frequent, and exponentially more expensive for the victims. As operational networks become more connected, they are receiving special attention from attackers. These networks control the heart of critical operations. They make up the essence of operational continuity. They are comprised of many legacy systems and devices, some of which entirely lack modern cybersecurity capabilities. And threat actors know this.

Another recent example is the attack on an Israeli water reservoir. OTORIO researchers showed how easy it is to find control systems - like those used in production plants and water treatment facilities - with exposed network security. In December 2020, a threat actor published a video of a breach in an Israeli reclaimed water reservoir system. The reservoir’s system was connected directly to the Internet, without authentication or access limitation. This gave the attackers easy access to the system and allowed them, for example, to change the temperature. All it took was an Internet connection and access to websites that scan the network and find such systems. Hackers are looking for an opening - and an unsecured industrial control system is a great target.

Detecting cyberattacks and responding fast is highly important. In fact, both the teams in Florida’s Oldsmar and Israeli’s water reservoir managed to regain control of their networks quickly. Unfortunately, relying on the awareness of human operators may not be sufficient next time. How can you prevent a successful attack on your network? Be proactive. 

• Secure and restrict access to the Internet - This includes secure remote access (e.g. VPN), access restriction based on firewall rules, and an active defense strategy.
• Perform a cybersecurity risk assessment for your operational network - Perform a comprehensive cyber risk assessment together with penetration testing, focusing on your operational network.

• Gain full visibility of your operational network - Make sure you have full visibility of your operational network, with clear business context. That way, you can prioritize risk mitigation based on the potential operational impact and choose feasible mitigation steps.

• Automate as much as possible - Operational networks are becoming more complex, and attackers are becoming more sophisticated. It is no longer possible to rely only on manual monitoring. Automated cyber security systems, with built-in intelligence, can ensure that you keep your security status high, constantly checking for vulnerabilities, digital risks, and potential attack vectors. 

• Educate and train your employees - Most cyberattacks start with human error – from phishing emails to misconfigurations and everything in-between. Make sure to train your employees on cybersecurity guidelines.

Safe critical infrastructure is essential for public health, environmental protection, and economic growth. Ensuring the reliability of critical infrastructure requires addressing the unique security constraints of operational networks. The recent attack on Florida’s water treatment facility could have easily resulted in the poisoning of thousands of citizens. We recommend that critical infrastructure safety and cybersecurity stakeholders combine a reactive approach with a proactive risk avoidance approach in their operational networks.