Over the last few months, cybersecurity journalists and the ICS security community have been discussing
            the Oldsmar Florida water system cyber-attack and other similar attacks on water infrastructure, almost
            ad nauseam. While many people have been talking about this “news” topic, we’ve actually been treating
            this issue with many of our customers over the past few years. In this article, I will explain what we’ve
            learned from this cyberattack, but most importantly, I will share how we’ve been busy solving these issues
            over the last few years with actual examples from our range of industrial cybersecurity products.



            The Oldsmar Water Facility Attack


            Back in February 5th, a hacker gained access into the water treatment system of Oldsmar, Florida, and
            hijacked  the  plant’s  operational  controls.  He  was  able  to  temporarily  drive  up  the  sodium  hydroxide
            content in the water to poisonous levels. The Oldsmar facility is the primary source of drinking water for
            the city’s 15,000 residents. Luckily, a plant operator was able to return the water to normal levels. The
            incident  has  nonetheless  launched  many  conversations  about  the  state  of  security  in  global  critical
            infrastructure.



            But that wasn’t the whole story.

            A security  advisory released  in  March  by  the  state  of  Massachusetts’s Department  of  Environmental
            Protection, referred to additional unsafe practices or behaviors at the Oldsmar water treatment plant that
            significantly increased the risk further. Like many other facilities of its kind, Oldsmar uses a SCADA
            (Supervisory Control And Data Acquisition) system that allows staff to monitor and control conditions
            within the facility. At the same time, the staff was using TeamViewer, a fairly common remote access
            program,  which  can  be  used  to  monitor  and  control  systems  within  the  SCADA  network.  Sadly,
            cybersecurity was not a priority for the facility, as is the case occasionally with critical infrastructure. Not
            only was the Oldsmar facility using Windows 7 - an outdated software that is no longer supported by
            Microsoft, but all of their employees shared the same password to access TeamViewer. Additionally, the
            facility was connected directly to the internet without any type of firewall protection installed.



            The Current Situation with Water Systems

            In the United States alone, there are about 54,000 distinct drinking water systems. The vast majority of
            those systems serve less than 50,000 residents. They mainly rely on some type of remote access to
            monitor and/or administer their facilities. Many of their facilities are also unattended, underfunded, and
            do not have someone watching the IT operations 24/7. Finally, many facilities have not separated their
            OT  (operational  technology)  networks  from  their  safety  systems  that  are  in  place  in  order  to  detect
            intrusions or potentially dangerous changes by threat actors.
            While the attempt was spotted and taken care of by a plant operator before it could do any damage, it
            raises questions about how serious a threat this sort of terrorist or nation-state action could be in the
            future.





                                                                                                              25