Hack reveals underfunded U.S. aquatic plant vulnerabilities

ST.Petersburg, Florida – Hackers’ unsuccessful attempts to poison water supplies in small Florida cities warn of how vulnerable the country’s water system is to attacks by more sophisticated intruders. Processing plants are usually underfunded and lack the depth of cybersecurity in power grids and nuclear power plants.

A surprising announcement by a local sheriff on Monday that the water supply of the 15,000-population Oldsmer was temporarily at stake showed featureless transparency. According to experts, suspicious cases are rarely reported and are usually due to mechanical or procedural errors. There are no federal reporting requirements, and state and local rules vary widely.

“In the industry, we all expected this to happen. We’ve long known that municipal water utilities are very underfunded and underfunded and have long been a soft target for cyberattacks. “It was,” said Leslie Carhartt, the main case. Dragos Security responder specializing in industrial control systems.


“I have a lot of water services for small and large cities, and often all of them have very small IT staff. Some don’t have dedicated security staff.” She said.

The country’s 151,000 public water systems lack the financial strength of corporate owners of nuclear power plants and utilities. They are heterogeneous patchwork and have less uniformity of technology and security measures than in other rich countries.

Security measures are often sacrificed as access to computer networks of critical infrastructure becomes easier over the Internet and remote access increases rapidly during the COVID-19 pandemic.

“This is a difficult issue, but we need to start addressing it,” said Joe Slowik, senior security researcher at DomainTools, and said the hack points to “a systemic weakness in this sector.” It was.

According to cybersecurity experts, the attack at the factory 15 miles northwest of Tampa seemed unmanageable and very blatant. Anyone who broke the Oldsmer factory on Friday using a remote access program shared by factory workers temporarily increased the amount of lye (sodium hydroxide). 100x, according to Pinellas County Sheriff Bob Gualtieri. Lye is used to reduce acidity, but at high concentrations it is very caustic and can burn. It is included in drainage pipe cleaning products.


Intruder timing and visibility seemed almost ridiculous to cybersecurity professionals. A supervisor monitoring the plant console around 1:30 pm saw the cursor move over the screen to change settings and was able to quickly get it back, Gualtieri said. .. The intruder entered and exited in 5 minutes.

The intruder “raised sodium hydroxide to dangerous levels,” but the public was never at risk, sheriffs said. He also said that the plant’s safeguards would have detected 24-36 hours of chemical changes that would have taken to affect water supply.

“It would have been caught by a secondary chemical test,” Guartieri said on Tuesday, when the water was sent to a storage tank before it reached the customer. He didn’t know if the hacker was domestic or foreign — and said no one was suspected of being involved with factory employees. He said the FBI and Secret Service are supporting the investigation. He said it was possible that the hacker could create administrator credentials, but it’s unclear how the hacker broke in.


Jake Williams, CEO of cybersecurity firm Rendition Infosec, said engineers were creating safeguards “before remote control over cyber became a problem” and a “series of failures” where violations pollute Allsmer’s water. He said it was very unlikely to lead to.

According to cybersecurity firm FireEye, hacking attempts at water treatment plants have increased over the past year, but most are by beginners, often using a search engine, a type of industrial control system called Shodan. I encountered the system while I was there.

The serious threat comes from nation-state hackers like Russian agents who have plagued US institutions and the private sector for at least eight months and blamed the months of SolarWinds campaigns discovered in December. US officials call SolarWinds a serious threat, but not a damaging attempt, but a cyber-spy activity.


Placing booby traps that can be caused by armed conflict is another matter. Russian hackers are known to have invaded US industrial control systems, including the power grid, and Iranian agents have been accused of breaking a dam on the outskirts of New York in 2013. However, there are no signs that a “logical bomb” has been activated as in Russia. It took place in Ukraine in the winter of 2015 and 2016, when military hackers temporarily shut down part of the grid.

According to the Journal of Environmental Engineering’s 2020 treatise, water operators have a variety of relationships, including just poking amateurs, disgruntled ex-employees, profit-seeking cybercriminals, and state-sponsored hackers. Has been hacked by a person. Such incidents are relatively rare, but they are low risk and do not mean that most water systems are safe. This is because the so-called “air gap” between networks connected to the Internet and systems that directly manage pumps and other plant components is becoming less common.


“In reality, many cybersecurity incidents are not detected and are not reported or disclosed as a result, as they can jeopardize victims’ reputation, customer trust, and thus revenue. “The newspaper said.

After the incident on Friday, Allsmer authorities disabled the remote access system and warned leaders in other cities in the area hosting the Super Bowl to check their system.

In May, Israeli cyber chiefs stopped a large-scale cyberattack on the water system, a widespread attack from Iran, last month. If Israel did not detect the attack in real time, chlorine or other chemicals could invade the water, leading to “disastrous” consequences, he said.

The Biden administration has already shown its intention to strengthen cybersecurity, a sector that has been roundly accused of its predecessors not taking it seriously enough.


So far this year, the Department of Homeland Security has issued 25 recommendations listing various industrial control systems that may be vulnerable to hacking. Affected products range from 3D rendering software to security cameras and insulin pumps.

Chris Sistrunk, technical manager of FireEye’s Mandiant division, said cybersecurity issues are relatively new to U.S. water operators, with the biggest problems being winter pipe freezes and ruptures, or clogging of disposable wipes. I said there is. Oldsmar hacks highlight the need for more training and basic security protocols, but they don’t require drastic steps to wipe out new regulations.

“We have to do something. We can’t do anything, but we can’t overreact,” he said.


Bajak reported from Boston and Suderman reported from Richmond, Virginia. AP Technology Writer Matt O’Brien contributed from Providence, Rhode Island.

Copyright 2021 AP communication. all rights reserved. This material may not be published, broadcast, rewritten, or redistributed without permission.

Hack reveals underfunded U.S. aquatic plant vulnerabilities

Source link Hack reveals underfunded U.S. aquatic plant vulnerabilities

Show More

Related Articles

Back to top button