There was a time when “something in the water” conjured memories of the shark from Jaws. But a recently-reported cyber attack against a Florida water treatment facility means malicious hackers are the new danger in the water.
Although dire-sounding, failsafe mechanisms and quick action by a facility operator ensured that the water supply was not compromised and remained safe for consumption. However, the potentially catastrophic real-world impacts of critical infrastructure hacks highlight the need for action to address cybersecurity risks like misuse of remote access and outdated software.
According to the Pinellas County sheriff’s department, an unknown attacker was able to gain remote access to a computer system used by the city of Oldsmar for supervisory control and data acquisition (SCADA). These systems gather data from sensors in industrial machinery, such as PH sensors in water treatment tanks, and issue electronic commands to the machinery in response, like adding specific chemicals to balance the PH level of the water.
In this hack, an unknown actor was able to gain remote access to the facility’s SCADA system and adjust the amount of sodium hydroxide, a caustic chemical commonly known as lye, to over 100 times the normal level. In small amounts, the chemical safely treats water, but large quantities cause chemical burns.
Luckily a facility operator was sitting at the SCADA computer screen and saw the remote attacker take control of the mouse and keyboard. While this is part of standard procedure for remote support, the chemical level set by the attacker is well outside of normal limits, so the operator changed it back immediately. County officials stressed that other failsafe mechanisms exist which would have caught and corrected the change, such as chemical level and PH monitoring.
There are four major issues at play in this attack and others like it, including:
Sheriff Woody in Toy Story says, “Somebody’s poisoned the water hole!” but also “Reach for the sky!” when he finds the criminals. At Coalition, we recommend everybody have a digital sheriff keeping an eye on cyber risks, even if you aren’t in charge of critical infrastructure like water treatment or power generation.
Attacks against these organizations are potentially life-threatening. While attacks against most other organizations will not be as dire, they do pose serious challenges to you, your customers, and your community.
Here are our top tips to protect yourself from cyber attacks:
All organizations have cyber risks, whether you’re a professional services firm, critical infrastructure operator, or other business. The threat landscape continues to evolve, and your response to cyber threats must evolve with it. Following the tips above as well as the guidance in the Coalition Cybersecurity Checklist can help you do just that.
For specific questions or additional details, you can always reach us at [email protected]. We are happy to set up time to discuss how to improve your security and reduce your cyber risk.