Everyone is susceptible to a cyberattack. If you think it won’t happen to you, you’re among the many others who thought the same yet found out otherwise the hard way. Let’s unpack that with some insight from one of Mariner’s security experts.
In February 2021, a water treatment station in Oldsmar, Florida was hacked. The culprit accessed the workstation using a popular remote access application called TeamViewer and attempted to change the dose of lye in the water from 100 to 1100 PPM (parts per million) – a level that could cause health issues among the utility’s customers.
An alert operator, who happened to be on duty, noticed the mouse moving and the parameters being changed, so they fixed it immediately with no time for the water to be affected. This was the only silver lining to this event. If that operator had not been present and alert, the consequences could have been serious.
About five years prior, during an assessment on a Canadian water utility company, one of our consultants visited local water treatment plants and found a similar situation to what happened in Oldsmar.
The issue of having easily guessable passwords or passwords shared among various team members was considered one of the most critical vulnerabilities at the water station in Florida. The same situation was also present in the Canadian water treatment station, where passwords could be found in plain sight, recorded on Post-it notes.
Outdated applications and antiquated operating systems can also allow an attacker to quickly gain access to sensitive equipment. That is in part because utility companies often rely on equipment that has been in place for a long period of time. And this is usually not for the best when it comes to computers. During that Canadian assessment, sensitive equipment was being managed by a Windows 98 workstation. At that time, the operating system was already almost 20 years old and full of unpatched vulnerabilities.
In the case of Florida water station, we may never find who was responsible for the attack because there were no monitoring systems in place, and it is unlikely the hack could be tracked back to its source. In the case of our Canadian counterpart, this would be potentially worse. The workstations were directly connected to the internet. There was no firewall in place, no IDS/IPS (Intrusion Detection System/Intrusion Protection System) in place. The equipment would actually consist of a common household modem connected to a public phone/internet provider. Tracking the source of a potential attack would be virtually impossible.
What all of these vulnerabilities have in common is that all of them can be easily identified during a VAPT exercise. If VAPT had been performed on that site, besides the unsung hero - the alert operator - other mitigating factors could, and likely would, be in place to avoid this incident from ever happening.
This is more than a reminder that attacks to utility services and other critical infrastructure services are an imminent threat - this event also reminds us of the importance of practicing good cybersecurity hygiene by performing regular and frequent VAPT to identify, and eventually mitigate vulnerabilities.
Mariner is one of the best cybersecurity development organizations in North America, attracting top talent to evolve their security specialization through value-focused clients and a culture of security innovation and excellence. We employ state-of-the-art technology, and a team-based cross capabilities approach tuned to our clients’ unique needs with proven results to provide industry-leading security solutions value.