Water After Oldsmar

How to Prevent the Next Attack on Our Water Infrastructure

By Josh Cohen, Cyber Director, Economic and Trade Mission at the Embassy of Israel to the U.S.

To get a preview of the next possible mass casualty terrorist attack, look no further than the Florida town of Oldsmar. In what was surely a Sum of All Fears  moment for Government officials, a cyber intruder of unknown origin attempted to poison Oldsmar’s water supply on February 5th by hacking the town’s water treatment plant. Using the remote access program TeamViewer – widely used by IT professionals to provide remote support – the hackers accessed the facility’s control systems and attempted to increase the amount of sodium hydroxide to dangerous levels.

Luckily, an alert plant operator noticed the attack and stopped it, but the outcome could have been far worse. This isn’t the first time hackers have attempted to poison civilians through water infrastructure. Last year, Israel thwarted an assault attempt by Iranian hackers on the country’s control systems of wastewater treatment plants, pumping stations and sewers. In this case, the hackers tried to raise the level of chlorine to dangerous levels.

Cyber attacks on water plants aren’t new. Since the first known hacking attempt on an Australian water facility in 2000, numerous attacks against water utilities have been attempted. And in 2014, the Department of Homeland Security (DHS) warned that America’s nation state adversaries were mapping U.S. water infrastructure.

For a number of reasons, U.S. water and wastewater utilities are juicy targets for hackers. While some countries such as the UK have a limited number of larger water utilities, the U.S. water sector is highly fragmented, with approximately 70,000 water plants, many of which are bare bone municipally-run operations. As a result, a lot of water utilities have only one or two IT professionals, no cyber experts, and precious little money available to develop any kind of cyber defense program.

Moreover, while cyber defenders traditionally have concentrated on threats to organizations’ IT networks, the real threat to critical infrastructure operators are their operational technologies (OT)—the complex industrial control systems (ICS)  used to manage the generators, pumps, valves and other equipment used by water plants and other industrial operators. Historically, the OT remained separated, or “air-gapped,” from the internal IT networks connected to the internet; however, with the advent of converged OT-IT networks this is no longer the case. In a word, these industrial control systems are now connected to the internet, making them vulnerable to hacking.

Despite their cyber-vulnerabilities, water utilities can still take a number of steps to protect themselves. To start with, utilities should also conduct regular risk assessments to identify possible security gaps. This will allow management to understand their cyber-profile and prioritize the order in which vulnerabilities are addressed. A number of free tools such as the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework can help guide utilities’ risk assessments.

And since you can’t protect what you don’t even know you have, water utilities – and indeed any critical infrastructure operators – should regularly inventory their organization’s entire asset base. Performing this inventorying can enable plant operators to discover and terminate internet connections posing dangers to industrial control systems.

Water utilities could also consider removing the threat to their OT assets by keeping them strictly air gapped. Alternatively, utilities wishing to enable OT-IT integration safely can use “unidirectional security gateways” from cyber companies such as Waterfall to ensure that while valuable data can flow from industrial control systems to outside networks, IT data is blocked from ever reaching the sensitive OT.

Fourth, water utilities – especially smaller water utilities where an IT manager may frequently need to provide support remotely – can implement so-called Secure Access Service Edge (SASE) systems from companies that make accessing private apps simple and secure.

Finally, as information security professionals constantly repeat, simply using proper cyber hygiene can go a long way towards making any organization more cybersecure. Paul de Souza, founder and CEO of the Washington, DC cyber-training non-profit the Cybersecurity Forum Initiative, emphasizes “doing the simple stuff, the basic blocking and tackling of cyber defense.” de Souza emphasizes the simple stuff, such as using two-factor authentication, frequently changing passwords, backing up your data, keeping software updated – including adding patches where necessary – and implementing cyber training programs for employees. Indeed, while it’s natural to think of cyber threats as technical challenges that can be defeated by even better technical solutions, “the number of attacks that could be thwarted simply by training employees not to click on links or attachments of unknown origins is massive” according to de Souza. Indeed, the fact that the username and passwords of the hacked Teamviewer program were possibly stolen through phishing or social engineering amply demonstrates the value of increasing employees’ awareness of lurking cyber threats.

To be clear, even implementing all these steps isn’t a panacea, and determined hackers can still breach even the best defenses, but taking these steps will still go a long way towards keeping our precious water resources from becoming the vector for a catastrophe.

About the Author

Josh Cohen is the Cyber Director at the Economic and Trade Mission at the Embassy of Israel to the U.S. where he connects Israeli cyber startups with American customers, investors and partners

Josh can be reached online at josh.cohen@israeltrade.gov.il and on Linkedin