Cyber Attack on Water Plant Facility

Last month, dangerous winter storms rolled into the South, creating a challenging situation for thousands of residences in the area, and most were left to survive in the cold with little to no power or running water. People I know were forced to stand in lines to obtain their ration of water for the day.  Water is an essential part of our very existence, and every cell in our body needs it to grow and function. Per, 657million+ liters of water have been used so far in 2021. Now, think about non-developed countries that lack quality water supply. Per UNESCO, one in nine people worldwide uses drinking water from unimproved, unsafe, untreated sources.

In the United States, we are fortunate to have access to treated water. Also, drinking from US Water Supplies is considered safe. However, on Friday, Feb. 5, 2021, two days before the Superbowl, a cyber attempt was made against a small water facility in Oldsmar, Florida. Using the internet, the adversary managed to connect to software called TeamViewer. It was installed on the workstation used to control the water treatment process. TeamViewer is a popular tool used by technicians, and it allows personnel to gain remote access to a computer and use it as if they were physically in front of it. Once in the network, the adversaries tried to increase the sodium hydroxide levels or lye.

However, thankfully a Supervisor on duty was alerted by an Indicator of Compromise (IoC), a cursor moved across his computer screen. Due to his alertness, he was able to prevent a catastrophe from occurring. Think about it for a second – what if the Supervisor had not seen the cursor move — many unsuspecting customers, travelers, or residents could have been poisoned.  Unfortunately, this type of situation is not uncommon. Operations staff and equipment vendors need to remote access into industrial machines and to utilize software such as TeamViewer to manage our critical infrastructures such as our water supply.

How can this type of incident be prevented in the future? Prioritize installing a firewall in your network like a Network Intrusion Detection System (NIDS)/Network Intrusion Prevention System(NIPS) or even a Host Intrusion Detection System (HIDS)/ Host Intrusion Detection System(HIPS). This way, you can be alerted about, or the system can prevent suspicious or malicious events. Consider placing industrial networks in DMZs to prevent external IP addresses from accessing your internal networks. Do not use default credentials on servers or applications and conduct a vulnerability assessment every six months.


Sources: Sources: