A water-treatment plant in Oldsmar, Fla., was breached, and the hacker briefly increased the amount of lye used to treat water to a dangerous level, according to Pinellas County Sheriff Bob Gualtieri.
According to reporting from the Wall Street Journal, a plant operator noticed that someone remotely accessed a computer system the person was monitoring that controls chemicals used to treat water. The computer system is accessible remotely, and the operator detected external access on the network that appeared potentially nefarious.
It appears the breach of the water utility’s industrial control system may have resulted from a misconfiguration of controls tools. This case highlights the vulnerabilities that exist within US critical infrastructure. These vulnerabilities stem from a number of factors, including the rapid digitization of essential services like water, including the merging of IT and operational technology (OT) that characterizes modern industrial controls systems.
The merging of OT and IT in recent years has led to a decrease in the number of air gaps—the thing that used to make critical infrastructure like utilities less vulnerable to cyber-attacks like the one conducted in Pinellas County. With the rise of IoT, industrial control systems have become more connected and thus more vulnerable to attack.
From the work of experts like Dragos, we already see an uptick in ransomware attacks on critical infrastructure seeking to exploit the vulnerabilities borne out of this trend.
The systemic risks posed by events like this should create urgency for renewed focus on things like security controls validation and objective external assessments of cyber performance for any company that is part of the country’s critical infrastructure.