At an Oldsmar, Fla., water treatment facility on Feb. 5, an operator watched a computer screen as someone remotely accessed the system monitoring the water supply and increased the amount of sodium hydroxide from 100 parts per million to 11,100 parts per million. The chemical, also known as lye, is used in small concentrations to control acidity in the water.

In larger concentrations, the compound is poisonous – the same corrosive chemical used to eat away at clogged drains.

The impact of cybersecurity attacks

The incident is the latest example of how cybersecurity attacks can translate into real-world, physical security consequences – even deadly ones.Cybersecurity attacks on small municipal water systems have been a concern among security professionals for years.

The computer system was set up to allow remote access only to authorised users. The source of the unauthorised access is unknown. However, the attacker was only in the system for 3 to 5 minutes, and an operator corrected the concentration back to 100 parts per million soon after. It would have taken a day or more for contaminated water to enter the system.

In the end, the city’s water supply was not affected. There were other safeguards in place that would have prevented contaminated water from entering the city’s water supply, which serves around 15,000 residents.

The remote access used for the attack was disabled pending an investigation by the FBI, Secret Service and Pinellas County Sheriff’s Office.

On Feb. 2, a compilation of breached usernames and passwords, known as COMB for “Compilation of Many Breaches,” was leaked online. COMB contains 3.2 billion unique email/password pairs. It was later discovered that the breach included the credentials for the Oldsmar water plant.

Water plant attacks feared for years

Cybersecurity attacks on small municipal water systems have been a concern among security professionals for years. Florida’s Sen. Marco Rubio tweeted that the attempt to poison the water supply should be treated as a “matter of national security.

The incident at the Oldsmar water treatment plant is a reminder that our nation’s critical infrastructure is continually at risk; not only from nation-state attackers, but also from malicious actors with unknown motives and goals,” comments Mieng Lim, VP of Product Management at Digital Defense Inc., a provider of vulnerability management and threat assessment solutions.The attack on Oldsmar’s water treatment system shows how critical national infrastructure is increasingly becoming a target for hackers as organizations bring systems online

Our dependency on critical infrastructure – power grids, utilities, water supplies, communications, financial services, emergency services, etc. – on a daily basis emphasises the need to ensure the systems are defended against any adversary,” Mieng Lim adds. “Proactive security measures are crucial to safeguard critical infrastructure systems when perimeter defences have been compromised or circumvented. We have to get back to the basics – re-evaluate and rebuild security protections from the ground up.”

"This event reinforces the increasing need to authenticate not only users, but the devices and machine identities that are authorised to connect to an organisation's network,” adds Chris Hickman, Chief Security Officer at digital identity security vendor Keyfactor. “If your only line of protection is user authentication, it will be compromised. It's not necessarily about who connects to the system, but what that user can access once they're inside.

"If the network could have authenticated the validity of the device connecting to the network, the connection would have failed because hackers rarely have possession of authorised devices. This and other cases of hijacked user credentials can be limited or mitigated if devices are issued strong, crypto-derived, unique credentials like a digital certificate. In this case, it looks like the network had trust in the user credential but not in the validity of the device itself. Unfortunately, this kind of scenario is what can happen when zero trust is your end state, not your beginning point."

The attack on Oldsmar’s water treatment system shows how critical national infrastructure is increasingly becoming a target for hackers as organisations bring systems online for the first time as part of digital transformation projects,” says Gareth Williams, Vice President - Secure Communications & Information Systems, Thales UK. “While the move towards greater automation and connected switches and control systems brings unprecedented opportunities, it is not without risk, as anything that is brought online immediately becomes a target to be hacked.”

Operational technology to mitigate attacks

Williams advises organisations to approach Operational Technology as its own entity and put in place procedures that mitigate against the impact of an attack that could ultimately cost lives. This means understanding what is connected, who has access to it and what else might be at risk should that system be compromised, he says. “Once that is established, they can secure access through protocols like access management and fail-safe systems.” 

The cyberattack against the water supply in Oldsmar should come as a wakeup call,” says Saryu Nayyar, CEO, Gurucul.  “Cybersecurity professionals have been talking about infrastructure vulnerabilities for years, detailing the potential for attacks like this, and this is a near perfect example of what we have been warning about,” she says. 

Although this attack was not successful, there is little doubt a skilled attacker could execute a similar infrastructure attack with more destructive results, says Nayyar. Organisations tasked with operating and protecting critical public infrastructure must assume the worst and take more serious measures to protect their environments, she advises.

Fortunately, there were backup systems in place in Oldsmar. What could have been a tragedy instead became a cautionary tale. Both physical security and cybersecurity professionals should pay attention.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

Author profile

Larry Anderson Editor, SecurityInformed.com & SourceSecurity.com

An experienced journalist and long-time presence in the US security industry, Larry is SourceSecurity.com's eyes and ears in the fast-changing security marketplace, attending industry and corporate events, interviewing security leaders and contributing original editorial content to the site. He leads SourceSecurity.com's team of dedicated editorial and content professionals, guiding the "editorial roadmap" to ensure the site provides the most relevant content for security professionals.

In case you missed it

Physical security and the cloud: why one can’t work without the other
Physical security and the cloud: why one can’t work without the other

Human beings have a long-standing relationship with privacy and security. For centuries, we’ve locked our doors, held close our most precious possessions, and been wary of the threats posed by thieves. As time has gone on, our relationship with security has become more complicated as we’ve now got much more to be protective of. As technological advancements in security have got smarter and stronger, so have those looking to compromise it. Cybersecurity Cybersecurity, however, is still incredibly new to humans when we look at the long relationship that we have with security in general. As much as we understand the basics, such as keeping our passwords secure and storing data in safe places, our understanding of cybersecurity as a whole is complicated and so is our understanding of the threats that it protects against. However, the relationship between physical security and cybersecurity is often interlinked. Business leaders may find themselves weighing up the different risks to the physical security of their business. As a result, they implement CCTV into the office space, and alarms are placed on doors to help repel intruders. Importance of cybersecurity But what happens when the data that is collected from such security devices is also at risk of being stolen, and you don’t have to break through the front door of an office to get it? The answer is that your physical security can lose its power to keep your business safe if your cybersecurity is weak. As a result, cybersecurity is incredibly important to empower your physical security. We’ve seen the risks posed by cybersecurity hacks in recent news. Video security company Verkada recently suffered a security breach as malicious attackers obtained access to the contents of many of its live camera feeds, and a recent report by the UK government says two in five UK firms experienced cyberattacks in 2020. Cloud computing – The solution Cloud stores information in data centres located anywhere in the world, and is maintained by a third party Cloud computing offers a solution. The cloud stores your information in data centres located anywhere in the world and is maintained by a third party, such as Claranet. As the data sits on hosted servers, it’s easily accessible while not being at risk of being stolen through your physical device. Here’s why cloud computing can help to ensure that your physical security and the data it holds aren’t compromised. Cloud anxiety It’s completely normal to speculate whether your data is safe when it’s stored within a cloud infrastructure. As we are effectively outsourcing our security by storing our important files on servers we have no control over - and, in some cases, limited understanding of - it’s natural to worry about how vulnerable this is to cyber-attacks. The reality is, the data that you save on the cloud is likely to be a lot safer than that which you store on your device. Cyber hackers can try and trick you into clicking on links that deploy malware or pose as a help desk trying to fix your machine. As a result, they can access your device and if this is where you’re storing important security data, then it is vulnerable. Cloud service providers Cloud service providers offer security that is a lot stronger than the software in the personal computer Cloud service providers offer security that is a lot stronger than the software that is likely in place on your personal computer. Hyperscalers such as Microsoft and Amazon Web Service (AWS) are able to hire countless more security experts than any individual company - save the corporate behemoth - could afford. These major platform owners have culpability for thousands of customers on their cloud and are constantly working to enhance the security of their platforms. The security provided by cloud service providers such as Claranet is an extension of these capabilities. Cloud resistance Cloud servers are located in remote locations that workers don’t have access to. They are also encrypted, which is the process of converting information or data into code to prevent unauthorised access. Additionally, cloud infrastructure providers like ourselves look to regularly update your security to protect against viruses and malware, leaving you free to get on with your work without any niggling worries about your data being at risk from hackers. Data centres Cloud providers provide sophisticated security measures and solutions in the form of firewalls and AI Additionally, cloud providers are also able to provide sophisticated security measures and solutions in the form of firewalls and artificial intelligence, as well as data redundancy, where the same piece of data is held within several separate data centres. This is effectively super-strong backup and recovery, meaning that if a server goes down, you can access your files from a backup server. Empowering physical security with cybersecurity By storing the data gathered by your physical security in the cloud, you're not just significantly reducing the risk of cyber-attacks, but also protecting it from physical threats such as damage in the event of a fire or flood. Rather than viewing your physical and cybersecurity as two different entities, treat them as part of one system: if one is compromised, the other is also at risk. They should work in tandem to keep your whole organisation secure.

Video surveillance is getting smarter and more connected
Video surveillance is getting smarter and more connected

The global pandemic has triggered considerable innovation and change in the video surveillance sector. Last year, organisations around the globe embraced video surveillance technologies to manage social distancing, monitor occupancy levels in internal and external settings, and enhance their return-to-work processes. Forced to reimagine nearly every facet of their operations for a new post-COVID reality, companies were quick to seize on the possibilities offered by today’s next-generation video surveillance systems. Whether that was utilising motion sensing technologies to automatically close doors or switch on lighting in near-deserted office facilities. Or checking if people were wearing masks and adhering to distancing rules. Or keeping a watchful eye on streets and public spaces during mandated curfew hours. Beyond surveillance and monitoring use cases, organisations also took advantage of a raft of new Artificial Intelligence (AI) applications to undertake a range of tasks. Everything from automating their building management and optimising warehouse operations, to increasing manufacturing output and undertaking predictive maintenance. Behind the scenes, three key trends all contributed to the growing ubiquity of video surveillance observed in a variety of government, healthcare, corporate, retail, and industry settings. Video surveillance takes to the Cloud Last year the shift to digital working led organisations to rapidly embrace cloud-enabled services, including cloud-hosted Video Surveillance As A Service (VSaaS) solutions that provide tremendous economies of scale and flexibility. Alongside significant cost savings, these solutions make it easier for organisations to enhance their disaster recovery and manage their video surveillance estate in new and highly effective ways. Surveillance cameras with audio recording were used more than 200% by customers between 2016 and 2020For example, in addition to enabling remote access and maintenance, today’s cloud-powered systems eliminate any need to invest in local storage technologies that all too often fail to keep pace with an organisation’s growing data storage requirements. Indeed, data from our worldwide customer base survey reveals how in 2020 an impressive 63% of organisations had abandoned using any on-premises storage option and were instead only storing all their video surveillance recordings and data in the Cloud. A deeper review of the global stats shows that the average cloud recording retention period for this stored data was 28.2 days, with organisations in Asia topping the global average at 38 days – 33% higher than was observed in any other region. Improvements in bandwidth and scalability engendered by the Cloud have also helped boost the growing utilisation of audio recordings in addition to visual image capture. Indeed, our research found the number of surveillance cameras with an audio recording facility used by customers jumped more than 200% between 2016 and 2020. Making sense of Big Data The enhanced ease of connectivity and scalable bandwidth made possible by the Cloud is stimulating more companies to connect a lot more video surveillance cameras to their networks. The top motivation for doing so is to generate live metrics and data that can be utilised to deliver enhanced business insights and operational intelligence. In recent years, a rich choice of video analytics solutions have been developed for a variety of industry verticals. The range of functionalities on offer is impressive and covers a variety of applications. Everything from making it easy to classify and track objects and behaviour patterns in real-time, to undertaking anomaly detection, or generating predictions based on past and present events/activities. Data collected via today’s cloud connected cameras can now also be used to feed deep learning training and AI analytics, utilising the unparalleled virtualised processing capacity of the Cloud to convert Big Data into usable information quickly. By integrating this information with data from other enterprise data capture systems, organisations are now able to gain a 360-degree view of their operations – in almost real-time. IT is now in the driving seat No longer the sole preserve of on-site security staff, the wider application and business use of video surveillance means that IT is increasingly taking the lead role where the management and control of these systems are concerned. IT is asked to integrate video surveillance into key enterprise platforms to generate the data that business leaders need Aside from the fact that IT has a vested interest in addressing the cybersecurity implications that come with attaching a growing range of IoT devices to the enterprise network, they’re also increasingly being asked to integrate video surveillance into key enterprise platforms to generate the data that business leaders need. As organisations expand their integration of video with other business applications, such as point of sale, access control, process control and manufacturing systems, this trend is only set to accelerate. Looking to the future Right now, the video surveillance industry is at a key tipping point, as video systems become increasingly strategic for enabling the enterprise to boost productivity, stay compliant, and fulfil its obligations to protect employees and customers. As the technology’s contribution to enhanced data-driven decision-making and problem solving continues to increase, expect the adoption of IP connected video cameras to burgeon as organisations look to capture more data from their day-to-day business operations.

How has Brexit affected the security industry?
How has Brexit affected the security industry?

When the United Kingdom voted to leave the European Union, a world of uncertainty unfolded for those doing business in the UK and the EU. The referendum was passed in July 2016. Including subsequent delays, the separation was completed after four years in January 2020, with a transition period ending December 2020. Even with the deadlines past, there are still pockets of uncertainty stemming from the separation. We asked this week’s Expert Panel Roundtable: How has Brexit affected the security industry?