Hacker Tampered With Chemical Processes Controls at Florida Water Treatment Plant
On February 5, a hacker altered the amount of sodium hydroxide (lye) added to the water supply for Oldsmar, Florida, from 100 ppm to 11,100 ppm. "According to the county's sheriff, the hacker gained access via an unnamed remote software program that allows employees to troubleshoot IT problems. The same program also includes some screen-monitoring capabilities. As a result, the operator who first noticed the intrusion initially suspected the remote access belonged to another worker." A plant operator noticed the change and reversed it before the tainted water entered the municipality's water supply. Officials have disabled the remote access system. FBI and Secret Service are investigating.
Vendors often offer remote support and monitoring, which helps maintain their systems. That support mechanism needs to be well understood. If you must expose access to monitor and manage an internal service, make sure that it is properly secured, including mandatory multi-factor authentication, regular reviews of which accounts have access, and logs that not only capture activities, but are also forwarded to your SIEM//SOC. Pay particular attention to any accounts which cannot be MFA, and, if possible, don't allow remote access to them. If cellular or other private networks are used, understand what else is on those networks and how the communications are protected.
Many organisations have remote access solutions in place to enable vendors and staff to work remotely, and in the pandemic this has increased, so now is a good time to review all your remote access solutions to ensure that they are configured in a secure manner and where possible MFA is enabled.
Utility operator convenience must not be allowed to trump security of the utility.