Water system hack should alarm electric utilities

Electric utilities should pay close attention to a recent cyber incident in Oldsmar, Florida. Hackers broke into the city’s SCADA system at a water treatment plant and tried to poison the supply.

Unlike SolarWinds and other headline-grabbing breaches, this attempt was not sophisticated. Rather, the hackers exploited the city’s outdated operating system and weak passwords.

Although city employees thwarted the attack, the threat was real. Security experts say it illustrates the importance of cybersecurity for critical infrastructure providers.

Poison attempt

Cyber criminals broke into Oldsmar’s SCADA controls on two separate occasions on February 5. Once in, they tampered with the levels of sodium hydroxide, or lye, in the water treatment process.

Gone unnoticed, the change would have threatened the health of Oldsmar residents. But plant employees caught it immediately–even before SCADA detected the manipulation.

They corrected the dosing amount and the process and water supply remained unaffected.

Vulnerabilities exposed

The FBI is investigating the compromise along with state and local authorities. In a joint advisory with the Cybersecurity and Infrastructure Security Agency (CISA), it blamed the event on several attributing factors.

The cyber actors accessed the system using TeamViewer, a remote access, desktop-sharing software. Oldsmar personnel used TeamViewer to conduct system status checks and respond to issues throughout the plant.

The FBI and CISA say TeamViewer is “a legitimate popular tool that has been exploited by cyber actors.” It gives hackers unauthorized control over computer systems in a less suspicious manner.

Another vulnerability existed in the city’s computer systems. Every computer within the plant used the outdated operating system, Windows 7.

Microsoft ended support for Windows 7 in January of 2020. Some users can still buy security updates and patches, but on a limited basis and only until January 2023.

Experts say the technology is obsolete and continued use puts organizations at risk. In an interview with “Cybersecurity Dive,” security researcher John Hammond offered this analogy: “Leaving an outdated, unsupported and overall dead technology running in production isn’t ‘like leaving the door open’ — it’s like there is no door at all.”

Finally, authorities say the city lacked basic protective measures. The computers shared the same password for remote access and connected to the Internet without a firewall in place.

Power industry should pay attention

The FBI and CISA say the Oldsmar attack is a sign of a growing trend. Organizations in the critical infrastructure sector — including electric utilities — should be on high alert.

Gary Kinghorn is a marketing director at Tempered, which specializes in network security. He believes the similarities between water and electric utilities make them equally vulnerable.

“They are both mission critical and there is a chance to do real damage,” he told “Cybersecurity Dive.”

Both utility systems are difficult to maintain, patch and secure, and yet remote access is a necessity. Kinghorn said more people must take the situation seriously. As remote access becomes more commonplace, systems must become more secure.

Organizations must also stop using outdated software. Despite its flaws, Windows 7 is still widely used. By some estimates, roughly 100 million computers use it in the U.S. and twice that world-wide.

It is especially rampant in small- and medium-sized organizations, or those averse to updates. Utilities using the antiquated system leave the infrastructure – and the communities they serve – exposed.

Mitigations available

After the attack, experts offered cyber hygiene measures to help protect critical facilities.

Kinghorn suggested identity-based remote access policies and military grade encryption.

The FBI and CISA urge upgrading outdated operating systems and using multi-factor authentication with strong passwords.

Other recommendations include:

  • Restrict all remote connections to SCADA systems, specifically those that allow physical control and manipulation of devices within the SCADA network.
  • Keep computers, devices, and applications, including SCADA/industrial control systems (ICS) software, patched and up-to-date.
  • Install a firewall software/hardware appliance with logging and ensure it is turned on.
  • Train users to identify and report unusual activity and attempts at social engineering.

Beyond the simple measures, utilities might also consider an investment in cybersecurity tools and technology. After all, electric utilities have a responsibility to maintain a strong electric grid.

Lessons learned

The residents of Oldsmar were lucky. Poor security hygiene left the city’s system and water supply exposed. Had it not been for attentive staff, the story could have had a much different ending.

Security experts say this event is a cautionary tale. The industry should learn from Oldsmar’s mistakes before it’s too late.

Because the next attack is coming, they say, and could be more sophisticated. Electric utilities and other critical infrastructure providers should remain vigilant.

Featured image: Chris Urso/Tampa Bay Times via ZUMA Press, ABC News

Making Grid Security a Priority

Former television journalist Ted Koppel recently released a book addressing the cyber and physical security threats to the electric grid. The book, Lights Out: A Cyberattack, a Nation Unprepared, Surviving the Aftermath, asserts that only a laptop is needed to bring down the entire grid, and evaluates the state of the government’s and the industry’s preparedness in the case of a major blackout.

Koppel’s book has many poignant messages and focuses mainly on what life would be like without electricity. Surely, no one can imagine a world without lights, computers, cell phones, or more critically, running water, waste systems and food production. The point Koppel is trying to make with his book is less about what we can do to prevent an attack on the grid, but more about how much we truly rely on electricity, and specifically the grid that ensures its reliable delivery to our homes and businesses every second of every day.

While Koppel’s book certainly provides some shock factor, it is important to remember that the electric power sector has made grid security a priority and actively works to prevent cyber attacks. The power industry is diverse, and its desire to improve security is universal.

While the electric power sector and government partners continue to take steps to manage risk, Koppel makes one point to which utilities of all sizes should pay attention. He says, “Security and day-to-day reliability become a shared responsibility, and as with any other chain, the electric power grid may only be as strong as its weakest link.” He goes on to say smaller companies “are simply not inclined to spend a great deal on cybersecurity. The weakest links in this system tend to be the smaller companies with the poorest security and maintenance practices.”

This presents a serious problem because of the interconnectedness of the grid. Different companies are responsible for different phases of the process – from the generation of electricity to delivery to the end-use customer. Information changes hands several times throughout that process and even after electricity is delivered, information is relayed back to the delivering utility. The smallest margin of error along the way provides an opportunity for a cyber attack.

In an effort to do our part in this process, Heartland has partnered with Helix Security to help our customers protect against cyber threats. Heartland, as well as our customers, must be accountable when it comes to cybersecurity. Taking steps to protect information is vital for any utility and because so many of our customers can’t do it on their own, we want to help. We certainly don’t want any of our customers to be the weakest link.

Helix provides cybersecurity services in five phases, starting with the fundamentals and building towards a fully functioning security management package. Heartland is providing a fifty percent cost share for any of our customers who choose to utilize Helix’s services, up to $5,000 per utility, per phase.

We currently have one customer signed up to begin Phase 1, and look forward to more customers taking advantage of this vital opportunity. Pricing is affordable and is based on your utility’s meter count. There is also not a lot of time commitment on your part, as Helix does all the heavy lifting.

Heartland hopes to get all of our customers to participate in this important program, because as Koppel reminds us, the effects of a long-term, widespread blackout would be devastating. If you’d like more information on how your utility can begin Phase 1, contact Ann Hyland at (605) 256-6536.

Photo credit NASA/GSFC

DSU hosts U.S. Senate cybersecurity field hearing

U.S. Senator John Thune (R-SD) held a full committee field hearing titled “Confronting the Challenge of Cybersecurity” September 3 at Dakota State University in Madison. Thune is chairman of the Senate Commerce, Science and Transportation Committee, and said the hearing at DSU allowed the policymakers an opportunity to listen to cyber experts and “better understand the challenge of protecting individuals, businesses and critical infrastructure throughout our nation.”

Approximately 20 percent of students at DSU are involved in its cybersecurity programs and the curriculum has received national attention. DSU’s Cyber Operations Program is recognized by the National Security Agency and the Department of Homeland Security as a National Center of Academic Excellence, holding education, research and cyber operations designations – one of the first universities in the nation to hold all three prestigious designations.

“As our nation continues to confront and guard against dangers in cyberspace, experts in South Dakota have experience and insight to inform federal policymaking,” Thune said.

Witnesses at the hearing included:

  • Dr. Josh Pauli, professor of cybersecurity and NSF SFS CyberCorps Program director, DSU
  • Dr. Kevin Streff, department chair, cyber operations and security, DSU; founder and managing partner, Secure Banking Solutions, LLC
  • Mark Shlanta, CEO, SDN Communications
  • Eric Pulse, director of risk advisory services, Eide Bailly
  • Jeremy Epstein, lead program director, Secure and Trustworthy Cyberspace (SaTC) program, National Science Foundation
  • Kevin Stine, manager, Security Outreach and Integration Group, Information Technology Laboratory, National Institute of Standards and Technology

Witness testimony, opening statements and video of the hearing are available HERE.

Cybersecurity continues to be an issue of primary importance across the United States. Heartland recently took steps to help our customers protect valuable data by partnering with Helix Security to launch a cybersecurity initiative. Dr. Pauli, who spoke at the Senate hearing, also works for Helix and is one of the individuals Heartland has been working closely with to develop the program, which will provide customers a cost share for implementing Helix Security services.

Picture courtesy Dakota State University.