Anatomy of the Oldsmar Water Plant Attack
The FBI, the Department of Homeland Security, the U.S. Secret Service and the Pinellas County Sheriff’s Office are investigating the attack in Oldsmar, and it is unclear where the attack originated from and what the motivations of the attacker or attackers were.
According to a Massachusetts state advisory describing FBI findings on the attack, on Feb. 5, unidentified malicious actors “obtained unauthorized access, on two separate occasions, approximately five hours apart, to the supervisory control and data acquisition (SCADA) system” used at the plant.
They accessed the SCADA system “via remote access software, TeamViewer, which was installed on one of several computers the water treatment plant personnel used to conduct system status checks and to respond to alarms or any other issues that arose during the water treatment process.”
According to ProPublica, the city had actually stopped using TeamViewer six months earlier, but never disconnected the program.
Alarmingly, according to the advisory, all computers used by personnel at the Oldsmar plant were connected to the SCADA system and used an outdated, 32-bit version of the Windows 7 operating system. Even more worrisome, the Massachusetts advisory states, “computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.”
A plant operator noticed the first intrusion, according to ProPublica, but “didn’t think much of it” Pinellas County Sheriff Bob Gualtieri said at a news conference. It wasn’t until after the second intrusion, when the attacker took over a computer and changed the amount of sodium hydroxide in the water from 100 parts per million to 1,100 parts per million, that the plant worker alerted his boss. The worker lowered the levels of sodium hydroxide and the city called the county sheriff’s office three hours later, ProPublica reports.
“This is dangerous stuff,” Gualtieri said, according to The New York Times. “It’s a bad act. It’s a bad actor. It’s not just a little chlorine, or a little fluoride — you’re basically talking about lye.”
Cybersecurity Lessons for Utilities and Critical Infrastructure Providers
Large utilities often have robust cybersecurity protections, but smaller water utilities, electric power utilities and other small critical infrastructure providers do not. That makes them easy targets, experts say.
“These are the targets we worry about,” Eric Chien, a security researcher at Symantec, tells the Times. “This is a small municipality that is likely small-budgeted and under-resourced, which purposely set up remote access so employees and outside contractors can remote in.”
There are several steps that utilities should take to harden their cybersecurity in the wake of the attack, according to experts and government agencies.
The FBI, DHS’ Cybersecurity and Infrastructure Security Agency, the Multi-State Information Sharing and Analysis Center and federal Environmental Protection Agency said in an alert that organizations should update to the latest versions of software they use, deploy multifactor authentication, use strong passwords to protect Remote Desktop Protocol (RDP) credentials and ensure anti-virus solutions, spam filters and firewalls are up to date, properly configured and secure.