On February 5, 2021 a Human-Machine-Interface (HMI) at the Oldsmar, FL Water Facility was accessed by unauthorized actors through remote desktop software that was exposed to the internet. These actors used this access to modify the sodium hydroxide levels of the water treatment process. This activity was detected by a water facility operator and the levels were quickly reset to the normal levels. The Cybersecurity and Infrastructure Security Agency (CISA) provides an initial account of this situation in [Alert (AA21-042A) Compromise of U.S. Water Treatment Facility].
Currently, there is limited information about this event which is not enough to discuss specific points related to the facility’s recovery efforts, incident response steps, or their cybersecurity program. However, this event does provide us the opportunity to help the public, leaders, operators, administrators, and information security professionals understand the complexities involved with operating and securing process environments like the Oldsmar, FL Water Facility.
To this end, a panel of the SANS ICS team, composed of Jason Dely, Jeff Shearer, and Don C. Weber, gathered to discuss interesting points raised by this event. In the ICS Hot Take: Oldsmar, FL Water Facility Event Youtube video, the team focuses on
- the situation and actions that can lead up to configuring external access to a process,
- how process personnel receive notifications / alerts and common response actions,
- the common configuration issues related to HMI, controllers, and physical implementation that increase risk to the process,
- the physical limitations often implemented within processes that can prevent an attacker’s process modification,
- cost of changes to applications, controllers, and physical deployment of process assets,
- roles of vendors, integrators, and process owners in defining and implementing security requirements and controls, and
- differences between IT incident response and ICS incident response that are important during these types of events.
In addition to this discussion, the SANS ICS team has produced a downloadable outline of the Oldsmar, FL Water Facility Event that can be used by teams to understand and discuss the situation. It contains information about what is currently known, the technologies involved, and details teams should consider when investigating and responding to these types of events. Further discussion about this topic, and other ICS subjects, are currently happening in the SANS ICS Community forum. Join to be a part of this discussion and interact with other ICS implementers and ICS security professionals.
ABOUT THE AUTHOR
Don C. Weber is the Principal Consultant and Founder at Cutaway
Security, LLC, an information security consulting company based in
Texas. Don's previous experiences include large-scale incident response
efforts for organizations with international assets and interests, the
certification and accreditation of classified federal and military
systems, assessment and penetration testing of worldwide commercial
assets, and, as a Navy contractor, the management of a team of
distributed security professionals responsible for the security of
mission-critical Navy assets. Don has achieved his master's degree in
network security, the Certified Information Systems Security
Professional (CISSP) certification, and many GIAC certifications. Don
was a founding member of the GIAC Ethics Council of which he was the
GIAC EC Chair in 2009. Don regularly contributes to a wide variety of
open source projects involving information security and incident
response. Read Don's full profile here.