The Oldsmar water treatment facility hack was entirely avoidable – and it can happen again

Additional reporting by Bernard Meyer.

Almost seven months ago, we warned that critical US infrastructure was so easy to hack that industrial control systems (ICS) in the US, particularly in water and energy sectors, could be breached by anyone. Last Friday, it happened in Florida. 

According to a report from Tampa Bay Times, an attacker compromised a water treatment facility in Oldsmar, Florida and tried to up chemical levels in the water supply to extremely dangerous levels. Bob Gualtieri, the Sheriff of Pinellas County where the city of Oldsmar is located, said the attacker tried to raise levels of sodium hydroxide, a chemical used to control the acidity of water, “by a factor of more than 100.”

According to Gualtieri, the Oldsmar water treatment facility provides water to the city’s businesses and its 15,000 residents, as well as other local towns that obtain water through Pinellas County. 

Fortunately, Oldsmar’s water supply wasn’t affected, thanks to the facility’s remote supervisor who saw the chemical levels being tampered with and immediately reverted the change.

Gualtieri said in a press conference that the city's own forensic investigators, along with the FBI and the Secret Service, are currently investigating the incident. In response to the cyberattack by an as of yet unknown assailant, Oldsmar city officials disabled remote access to the water treatment plan control systems and emphasized that other safeguards are in place to prevent contaminated water from entering the water supply.

We can only applaud the remote supervisor’s quick reaction and effective response. On the other hand, this attack could have been avoided entirely.

The sorry state of critical US infrastructure security was never a secret

In our 2020 report, we outlined how, despite growing investments in critical infrastructure security, many ICS panels in the US were still unprotected and easily accessible to threat actors. During our investigation, we found multiple unprotected control panels for water and sewage treatment facilities in cities and towns just like Oldsmar, Florida.

Our report found that other cities’ water systems were also vulnerable, including Ladonia, Texas and St. Bonifacius, Minnesota. 

We also found a public sewer pump station in Scituate, Massachusetts to be vulnerable, as well as various coastal and onshore oil wells. In total, our research showed that the most vulnerable infrastructure belonged to the water and energy sectors.

Fortunately, after our discovery in January 2020 we contacted CISA, CERT, and the public and private owners of these systems and they have now all been disabled.

We were shocked to discover that virtually anyone with a specific skill set could cause harm to critical US infrastructure. From silencing alarms on oil wells, to infecting the water supply, to causing city-wide water outages, such cyberattacks could physically affect untold numbers of people. 

Even though the vulnerability of US critical infrastructure was not a subject widely discussed in the media, it was not a secret either. Many government institutions and security companies in the US were well-aware that ICS systems were designed without cybersecurity in mind and were thus extremely vulnerable to cyberattacks. However, with the coronavirus pandemic taking the center stage in every way imaginable, there seemed to be a lack of urgency and institutional will to ensure adequate protection for all ICS systems in 2020. 

And the Oldsmar water treatment facility hack seems to be the (entirely avoidable) result.

Many other systems remain vulnerable. At the time of our report, Gabriela Ariza, a cybersecurity specialist working with the US government, told CyberNews that further infrastructure attacks could wreak havoc on the country, and US systems can come to a halt, making “day-to-day activities that require electricity and internet no longer possible. The longer the attackers can keep the systems down, the more control they have to attack.”

Approaches to fix this problem was suggested by Nir Kshetri, Professor at the University of North Carolina-Greensboro and a research fellow at Kobe University. Kshetri told CyberNews that one solution would be to “use an “analog” approach, which involves taking the grid offline. Another approach is to break up the operation into many components like the system in California. The operators can isolate areas readily in order to control the system. It makes it difficult to take the grid down.”