Guido Vrola - Fotolia
After Oldsmar: How vulnerable is US critical infrastructure?
Following the highly publicized breach of a water treatment plant in Oldsmar, Fla., industrial security experts discuss the state of critical infrastructure risk in 2021.
Caught between December's SolarWinds supply chain attacks and more recent exploitation of zero-day vulnerabilities in Microsoft Exchange Server, it may be too easy to forget about another important cyber attack that happened just last month.
A water treatment plant in Oldsmar, Fla., a small city near Tampa with a population of roughly 15,000, was remotely breached by an intruder on Feb. 5. But rather than steal data or implant malware, the attacker briefly increased the quantity of a chemical called sodium hydroxide (also known as lye) in the water from 100 parts per million to 11,100 parts per million before a plant operator intervened.
While this could have tainted the plant's water, quick action by a plant operator and multiple fail-safes prevented poisoned water from ever entering (or being at risk of entering) the public drinking supply.
The identity, motive and origin of the intruder have not been disclosed, and many questions remain unanswered; a spokesperson for the Pinellas County (Fla.) Sheriff's Office told SearchSecurity on March 9 that "There are no updates to provide at this time." Regardless, additional details about the attack raised concerns about the security of both Oldsmar and critical infrastructure, in general.
A cybersecurity advisory by the Massachusetts state government revealed the intruder gained access through TeamViewer, which was installed on several computers and shared remote access passwords. These computers were all connected to the internet without firewall protection, were all connected to the supervisory control and data acquisition (SCADA) system used to conduct the attack and all utilized the 32-bit version of the Windows 7 operating system.
The attempted cyber attack on Oldsmar has raised concerns about threats to critical infrastructure in the U.S. We spoke with multiple industrial cybersecurity experts about the risks to critical infrastructure and the potential of attacks to cause real-world harm.
Small budgets, weak postures
Former Cybersecurity and Infrastructure Security Agency Director Christopher Krebs was asked about the Oldsmar attack at a House of Representatives Homeland Security Committee meeting on Feb. 10. Krebs referred to Oldsmar's weak security posture as likely "the rule, rather than the exception."
He pointed to the small budgets given to municipalities as a key factor preventing them from having the extensive security programs they need. This point was echoed by infosec professionals and critical infrastructure experts we interviewed.
John Cusimano, vice president of industrial cybersecurity at consultancy AESolutions and active member of the ISA Global Cybersecurity Alliance, said budget plays a factor in the cybersecurity preparedness of water municipalities, which is often based on the size of the municipality. A water treatment facility in Washington, D.C., for example, will have a higher cybersecurity budget than a small suburb of Tampa, Fla.
"That's why it varies so much," Cusimano said. "The larger ones have bigger budgets and have a much larger population to serve, so they are more advanced and the smaller ones just aren't. There's not a lot of federal funding to support that -- they tend to be on very tight budgets."
American Water Works Association Federal Relations Manager Kevin Morley told us in an email that the AWWA, an international water management nonprofit founded in 1881, works "to build threat awareness and provide best practices with our partners." He said there is a challenge in working with constrained resources, but he pointed out there are low-cost options to improve security postures.
"There is a capacity challenge in the transfer and implementation of such practices, some of which may necessitate significant investment by an already resource-constrained entity. Other practices like strong passwords and unique users are controls that don't have major budgetary implications. In combination, these practices provide for a cybersecurity risk management strategy," Morley said.
Both AESolutions and AWWA work directly with water municipalities; we asked both Cusimano and Morley about whether their municipality clients and partners are learning from the Oldsmar attack.
Morley said "100%" and called the breach a "demonstration of why such cyber assessments are important." He added that water systems have been assessing cyberthreats since the passing of a law known as America's Water Infrastructure Act (AWIA) in 2018. Section 2013 of the AWIA established requirements for community water systems that serve more than 3,300 people to "develop or update risk assessments and emergency response plans (ERPs)."
Cusimano said that in his experience working with clients, the response to AWIA's passing has been mixed.
"We've been helping municipalities around the country meet that requirement. Some are putting more effort into it than others. Some are kind of treating it purely as a paper exercise -- filing the paperwork but not really using it as an impetus to really understand their cyber-risk. Others are," he said.
Cusimano added that while AESolutions generally works with clients who already have security programs in place, they have seen more inquiries since the highly publicized intrusion at Oldsmar.
Critical infrastructure and cybersecurity
Oldsmar's water treatment plant falls under the umbrella of critical infrastructure, a term that refers to assets and systems necessary for the proper functioning of a society. Critical infrastructure facilitates the economy, public safety and public health; it can account for water, power, internet, heating, military, transportation and much more.
In terms of cybersecurity, specialized technology is used to support critical infrastructure -- both hardware and software. Some of this technology is connected to the internet and, as such, attacks against critical infrastructure occur with sometimes far-reaching results.
While industrial cybersecurity and critical infrastructure are technically separate spaces, there is significant overlap between the two because of the amount of industrial technology used by critical infrastructure organizations.
Grant GeyerChief product officer, Claroty
Common terms used here are operational technology, the overall category of technology that regulates the performance of kinetically operating machinery; industrial control systems (ICS), a segment of OT that includes individual systems that support specific industrial and critical functions; and SCADA, software used primarily for process control and data collection in OT environments such as Oldsmar's water treatment facility.
The physical equipment that falls under the OT umbrella is extremely diverse. It can include the SCADA system used to change the chemical levels at Oldsmar's water treatment plant, industrial manufacturing automation systems and the equipment responsible for an electrical grid's power distribution, to name a few.
All of these systems are vulnerable to cyber attacks and, unfortunately, the nature of expensive industrial systems -- where hardware is often purchased to last for decades rather than years -- results in difficult-to-eliminate security issues.
Grant Geyer, chief product officer at industrial cybersecurity vendor Claroty, called this problem one of two fundamental issues in OT security. The other, he said, is a culture used to having air-gapped environments that are completely disconnected from the internet.
"With continued digital transformation initiatives, what we see happening is that these highly vulnerable components that were never secured by design are both at risk technologically and also at risk because personnel don't know how to secure them," Geyer said. "And so, while organizations are certainly catching up, they're far behind where their counterparts are within IT."
Ben Miller, vice president of professional services and R&D at industrial cybersecurity vendor Dragos, said that while the overall security posture in ICS/OT is getting better, it's nowhere near traditional IT.
"They still have a long way to go. Are they getting better? Yes. They are also positioning security so there's a lot of different angles -- there's a lot of investment and improvement -- but there's a long way to go. I think it's fair to say they're a good 10 to 15 years behind where the traditional IT security community is," he said.
It's perhaps because of these issues and the increasing sophistication of threat actors that ICS/OT attacks are increasing. According to Dragos' "2020 Year in Review" report, ICS threats grew threefold in 2020.
The risks of physical harm
The main goal of most cyber attacks involving ICS/OT are, like most cyber attacks, in general, for intelligence gathering by nation-states and financial gain via ransomware or other types of extortion. Geyer explained that critical infrastructure is particularly vulnerable to such extortion attacks. "If companies will pay to get their data back, imagine what industrial companies will pay to get equipment functionality back."
Fortunately, experts say, cyber attacks conducted to harm or kill people are much less frequent. No mass-casualty cyber attack has been recorded to date, though dangerous critical infrastructure breaches have, in fact, occurred.
In 2015, an attack on Ukraine's power grid resulted in temporary power outages impacting over 200,000 people for several hours. In 2013, Iranian hackers breached a New York dam and gained temporary access to the floodgates, but no physical consequences resulted. And, most recently, in 2017 an oil and gas facility in Saudi Arabia was hit with malware that targeted safety controls and attempted to cause an explosion at the facility. While the malware failed to achieve its goal, Dragos, which investigated the incident, said the threat actors intended to physical damage, as well as loss of life.
It is impossible to determine how many breaches against critical infrastructure have occurred, especially because many organizations with weak security postures may not even know they've been breached. But comparably few cyber attacks attempt to cause physical harm, and the attempts that haved occurred often don't succeed.
One primary reason for this is the technical knowledge that is often required in these settings.
"In order to cause damage, in many cases, you need not only a cyber-payload to compromise the environment, but also a physics payload in order to make control changes or safety changes," Geyer said. "Therefore, if we look at some of the more malicious attacks that could be leveraged, while the entry vector may be quite simple, the knowledge of what to do definitely requires a higher order magnitude of knowledge."
Dragos' Miller said the stakes for such attacks, which could become mass casualty events, are much higher and, therefore, carry more risk for threat actors.
"If you're causing a safety event, it's significant whether you're a foreign government or whether you are just an interested hacker. Creating this sort of impact is going to have long-term consequences to you individually. So, I think the risk for hackers or activity groups is pretty significant at the end of the day. Essentially, this would be a terrorism or national security event in a significant way," Miller said.
Third, there is the matter of fail-safes. Many critical infrastructure systems, like that in the Oldsmar water treatment plant, have multiple physical safeguards that prevent large-scale damage from taking place.
Jake Williams, founder of security firm Rendition Infosec and former National Security Agency security engineer, said those who build systems like water or power are "really good at setting up redundant fail-safes involving multiple layers of sensors."
As previously stated, the motive and identity of the Oldsmar attacker is currently unknown. But Williams didn't think a nation-state threat group, common in ICS/OT cybersecurity, was responsible.
"Nation-states aren't being this obvious and, secondarily, they have a lot more to worry about. If there's an attack on critical infrastructure that results in real-world harm or someone being harmed directly, I would expect to see, at least, a consideration or discussion of a kinetic response to that. I would assess with moderate to high confidence that this was not a nation-state attacker at all," he said.
Future risk and prevention
ICS/OT attacks are increasing, Miller said, and Dragos has reason to think it will only get worse.
"Our belief is that there's investment being made in understanding these systems and how to manipulate them, but those investments by these activity groups require a four- to six-year span in order to get up to speed. So, what we're seeing is investments made five years ago and [the number of attacks] will continually be increasing over time," he said.
However, he noted increased interest from clients in improving security posture.
"When I look at the number of security engagements my team does, it's increasing, and the security posture for our clients is not where we want it to be, but they are engaging us more," Miller said. "There is an increased focus on this, there is investment, there is a continued effort to gain visibility into environments where they didn't have visibility before."
Williams said that while there are strides to be made in critical infrastructure security, "We are not one hacker on TeamViewer away from shutting down, quote-unquote, 'the power grid.'"
"People come out of the woodwork every time there's one of these stories [like Oldsmar]. There's a lot of these strawmen [talking] about how this represents all kinds of problems with security and, 'Oh my gosh, we're one hack away from all your power being shut off and us being thrust back into the Dark Ages.' That's just hyperbole."
But, again, OT and ICS environments frequently face security challenges like technological and economic limitations, and Geyer recommended organizations improve their posture with simple steps such as applying multifactor authentication, auditing logs, and implementing strong authentication and access management.
In addition, Geyer recommended organizations pay attention to lessons learned in enterprise IT risk management, specifically those related to user education. Users are trained in IT environments to not click on suspicious links or open strange emails, and these are lessons that people who aren't conventional cybersecurity experts can take to heart.
"If you can remove 80-90% of the common attack vectors just in user education, it dramatically decreases what the security team needs to clean up," Geyer said. "If you can train OT engineers about what the common things are that can add risk to the enterprise, you can significantly reduce risk from a cyber incident and critical infrastructure standpoint and focus the scarce cyber resources you have as a safety net for what escapes the first line of defense."
Alexander Culafi is a writer, journalist and podcaster based in Boston.