Protecting the water supply – hacker edition

What can municipalities do to better protect their water supply systems?

Editor’s note: contributed blogs like this are part of ChannelBuzz.ca’s annual sponsorship program. Find out more here. This article was written by Cameron Camp, security researcher at ESET and was originally posted on the We Live Security site.)

We reported recently about an attack against the water supply in Oldsmar, Florida, and worry about the potential for future and copycat attacks against other lightly defended water treatment systems in small towns worldwide and what can be done to stem such incursions.

In the Florida case, criminals used remote access tools to gain a foothold and change chemical levels in the water supply, ramping them up to potentially hazardous levels.

That’s worrisome, including because hackers would normally have to gain specific knowledge of water treatment management systems, a very specific target demographic. That’s not a “spray and pray” attack; it’s targeted and takes some time to craft and deploy. And while this incident wasn’t a super stealthy zero-day attack, chances are that somebody was interested in the target for some time.

From the attacker perspective (meaning a typical intentional attacker devising and executing a well-thought-out attack), how could such a scenario play out?

First, the attackers identify the target, they gather information and form a plan. Once access has been gained, they then need to scour the network for the control systems that interact directly with the water treatment process. Again, this can take significant time and planning.

Once potential targets have been identified, attackers need to understand what role those targets have in the chemical process and what access those systems have to the physical equipment involved in production, whether valves, relays, level sensors, thermocouples or other controls.

Then they have to craft a specific attack within the context they are able to assess along the way, and then launch at a precise time that would have the best odds of success, all while maintaining undetected access to all the systems in the chain.

In the case of Oldsmar, once the attack was launched, there were other systems in place that provided feedback that could alert staff in time to scuttle the attack. That’s the good news. The bad news would be that they might have been under silent attack for weeks or months prior to the actual poisoning attempt and didn’t know it.

My colleague Tony Anscombe wonders why the Oldsmar facility did not have a thoroughly vetted and implemented plan in accordance with CISA sector-specific guidance for water and wastewater systems, including measures like two-factor authentication (2FA) and similar controls. It’s very helpful that those guidelines are made available for small municipalities to ramp up quickly, even if they don’t have access to cybersecurity ninjas on staff – which can be very expensive with typical small-town budgets.

Meanwhile, expect to see future exploit attempts against other municipalities. Ransomware attempts would be an obvious follow-on trend.

What can small towns do? They should take the time to understand and implement the guidance available, which may be as simple as adding/enforcing 2FA, patching systems, implementing good change control processes (according to media reports, TeamViewer had been replaced as the remote access solution in use at this water treatment plant, yet it was still running, exposing the plant to the internet through a non-required interface) and training staff on cyberhygiene.

Also, do a practice drill assuming a breach and “think like a hacker” to stop them from getting in. It is a good idea as well to have a plan in place in case a ransomware attack happens; that way, small towns won’t be faced with the untenable prospect of explaining to the citizens why they just spent public money to stop an attack that shouldn’t have happened in the first place.