Oldsmar cyberattack raises importance of water utility assessments, training



On Monday, February 8, a press conference hosted by Pinellas County, Florida, sheriff Bob Gualtieri dropped an industrial cybersecurity bombshell that reverberated worldwide.  Gualtieri, along with the mayor and city manager of Oldsmar (population 15,000), revealed that a hacker had infiltrated the Oldsmar water treatment system to change the city’s water supply levels of sodium hydroxide from 100 parts per million to 11,100 parts per million. Sodium hydroxide, also called lye, is a highly caustic chemical that is a key ingredient in liquid drain cleaners.

The hackers gained unauthorized access to an internal industrial control system (ICS), likely using stolen or lost credentials, via TeamViewer, a remote desktop application that allows users to log into systems from afar, a ubiquity across many organizations during the COVID-19 crisis. Gualtieri and the city officials offered only a few other details of the disturbing breach.

The attacker was caught in the act by a water utility employee who happened to see the cursor moving on the screen executing commands which were discovered hours later to be the malicious chemical composition changes. When the changes were discovered, the sodium hydroxide levels were restored to their original levels and no harm was done to the water supply. System checks and redundancies would have caught the deadly changes anyway, the officials maintained.

No one has yet determined whether the hacker was domestic or originated outside the United States. The FBI and the Secret Service are working on an investigation.

Attacker likely not a nation-state

As much as this hack resembles a similar incident last May in which Iranian state threat actors attempted to alter chlorine levels in a major attempted cyberattack against the Israeli water infrastructure, ICS cybersecurity experts say that the Oldsmar attack looks to be an amateur operation that’s likely a crime of opportunity.

“This incident did not seem to include any characteristics that indicate thorough planning and did not show the level of complexity we often observe from sophisticated actors such as nation-state sponsored groups,” Daniel Kapellmann Zafra, manager of analysis, Mandiant Threat Intelligence, tells CSO. “The attacker seemingly used a fairly common technique, accessing an internet-exposed human-machine interface (HMI), and performed modifications on the process that were unlikely to remain unnoticed.”

Copyright © 2021 IDG Communications, Inc.


Source link