Cybernews
  • News
  • Editorial
  • Security
  • Privacy
    • What is a VPN?
    • What is malware?
    • How safe are password managers?
    • Are VPNs legal?
    • More resources
    • Strong password generator
    • Personal data leak checker
    • Antivirus software
    • Best VPN services
    • Password managers
    • Secure email providers
    • Best website builders
  • Follow
    • Twitter
    • Facebook
    • YouTube
    • Linkedin
    • Flipboard
    • Newsletter

© 2021 CyberNews - Latest tech news, product reviews, and analyses.

Our readers help us create quality content. If you purchase via links on our site, we may receive affiliate commissions. Learn more

Home » Editorial » The Oldsmar water treatment facility hack was entirely avoidable – and it can happen again

The Oldsmar water treatment facility hack was entirely avoidable – and it can happen again

by Edvardas Mikalauskas
9 February 2021
in Editorial
0
The Oldsmar water treatment facility hack was entirely avoidable – and it can happen again
319
SHARES

Additional reporting by Bernard Meyer.

Almost seven months ago, we warned that critical US infrastructure was so easy to hack that industrial control systems (ICS) in the US, particularly in water and energy sectors, could be breached by anyone. Last Friday, it happened in Florida. 

According to a report from Tampa Bay Times, an attacker compromised a water treatment facility in Oldsmar, Florida and tried to up chemical levels in the water supply to extremely dangerous levels. Bob Gualtieri, the Sheriff of Pinellas County where the city of Oldsmar is located, said the attacker tried to raise levels of sodium hydroxide, a chemical used to control the acidity of water, “by a factor of more than 100.”

According to Gualtieri, the Oldsmar water treatment facility provides water to the city’s businesses and its 15,000 residents, as well as other local towns that obtain water through Pinellas County. 

Fortunately, Oldsmar’s water supply wasn’t affected, thanks to the facility’s remote supervisor who saw the chemical levels being tampered with and immediately reverted the change.

Gualtieri said in a press conference that the city’s own forensic investigators, along with the FBI and the Secret Service, are currently investigating the incident. In response to the cyberattack by an as of yet unknown assailant, Oldsmar city officials disabled remote access to the water treatment plan control systems and emphasized that other safeguards are in place to prevent contaminated water from entering the water supply.

We can only applaud the remote supervisor’s quick reaction and effective response. On the other hand, this attack could have been avoided entirely.

The sorry state of critical US infrastructure security was never a secret

In our 2020 report, we outlined how, despite growing investments in critical infrastructure security, many ICS panels in the US were still unprotected and easily accessible to threat actors. During our investigation, we found multiple unprotected control panels for water and sewage treatment facilities in cities and towns just like Oldsmar, Florida.

Our report found that other cities’ water systems were also vulnerable, including Ladonia, Texas and St. Bonifacius, Minnesota. 

We also found a public sewer pump station in Scituate, Massachusetts to be vulnerable, as well as various coastal and onshore oil wells. In total, our research showed that the most vulnerable infrastructure belonged to the water and energy sectors.

Fortunately, after our discovery in January 2020 we contacted CISA, CERT, and the public and private owners of these systems and they have now all been disabled.

We were shocked to discover that virtually anyone with a specific skill set could cause harm to critical US infrastructure. From silencing alarms on oil wells, to infecting the water supply, to causing city-wide water outages, such cyberattacks could physically affect untold numbers of people. 

Even though the vulnerability of US critical infrastructure was not a subject widely discussed in the media, it was not a secret either. Many government institutions and security companies in the US were well-aware that ICS systems were designed without cybersecurity in mind and were thus extremely vulnerable to cyberattacks. However, with the coronavirus pandemic taking the center stage in every way imaginable, there seemed to be a lack of urgency and institutional will to ensure adequate protection for all ICS systems in 2020. 

And the Oldsmar water treatment facility hack seems to be the (entirely avoidable) result.

Many other systems remain vulnerable. At the time of our report, Gabriela Ariza, a cybersecurity specialist working with the US government, told CyberNews that further infrastructure attacks could wreak havoc on the country, and US systems can come to a halt, making “day-to-day activities that require electricity and internet no longer possible. The longer the attackers can keep the systems down, the more control they have to attack.”

Approaches to fix this problem was suggested by Nir Kshetri, Professor at the University of North Carolina-Greensboro and a research fellow at Kobe University. Kshetri told CyberNews that one solution would be to “use an “analog” approach, which involves taking the grid offline. Another approach is to break up the operation into many components like the system in California. The operators can isolate areas readily in order to control the system. It makes it difficult to take the grid down.”

Share319TweetShareShare
Next Post
Cyberpunk 2077 maker CD Projekt Red has GWENT source code leaked after ransomware attack

Cyberpunk 2077 maker CD Projekt Red has GWENT source code leaked after ransomware attack

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

I agree to the Terms & Conditions and Privacy Policy.

Editor's choice

COMb data leak - Mother of all breaches
News

COMB: largest breach of all time leaked online with 3.2 billion records

by Bernard Meyer
12 February 2021
37

It's being called the biggest breach of all time and the mother of all breaches: COMB, or the Compilation of...

Read more
14 million Amazon and eBay accounts sold online in new leak

14 million alleged Amazon and eBay account details sold online

17 February 2021
The hype around quantum computing: it’s not too early to get in

The hype around quantum computing: it’s not too early to get in

15 February 2021
Facebook phishing campaign that tricked nearly 450,000 users in Germany is now spreading in the UK

Facebook phishing campaign that tricked nearly 450,000 users in Germany is now spreading in the UK

15 February 2021
Cyberpunk 2077 maker CD Projekt Red has GWENT source code leaked after ransomware attack

Cyberpunk 2077 maker CD Projekt Red has GWENT source code leaked after ransomware attack

10 February 2021
  • Categories
    • News
    • Editorial
    • Security
    • Privacy
  • Reviews
    • Antivirus Software
    • Password Managers
    • Best VPN Services
    • Secure Email Providers
    • Website Builders
  • Tools
    • Password generator
    • Personal data leak checker
  • Engage
    • About Us
    • Send Us a Tip
    • Careers
  • Twitter
  • Facebook
  • YouTube
  • Linkedin
  • Flipboard
  • Newsletter
  • About Us
  • Contact
  • Send Us a Tip
  • Privacy Policy
  • Terms & Conditions
  • Vulnerability Disclosure

© 2021 CyberNews - Latest tech news, product reviews, and analyses.

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.

Home

News

Editorial

Security

Privacy

Resources

  • About Us
  • Contact
  • Careers
  • Send Us a Tip

© 2020 CyberNews – Latest tech news, product reviews, and analyses.

Subscribe for Security Tips and CyberNews Updates
Email address is required. Provided email address is not valid. You have been successfully subscribed to our newsletter!