Water system hack should alarm electric utilities

March 2, 2021

Electric utilities should pay close attention to a recent cyber incident in Oldsmar, Florida. Hackers broke into the city’s SCADA system at a water treatment plant and tried to poison the supply.

Unlike SolarWinds and other headline-grabbing breaches, this attempt was not sophisticated. Rather, the hackers exploited the city’s outdated operating system and weak passwords.

Although city employees thwarted the attack, the threat was real. Security experts say it illustrates the importance of cybersecurity for critical infrastructure providers.

Poison attempt

Cyber criminals broke into Oldsmar’s SCADA controls on two separate occasions on February 5. Once in, they tampered with the levels of sodium hydroxide, or lye, in the water treatment process.

Gone unnoticed, the change would have threatened the health of Oldsmar residents. But plant employees caught it immediately–even before SCADA detected the manipulation.

They corrected the dosing amount and the process and water supply remained unaffected.

Vulnerabilities exposed

The FBI is investigating the compromise along with state and local authorities. In a joint advisory with the Cybersecurity and Infrastructure Security Agency (CISA), it blamed the event on several attributing factors.

The cyber actors accessed the system using TeamViewer, a remote access, desktop-sharing software. Oldsmar personnel used TeamViewer to conduct system status checks and respond to issues throughout the plant.

The FBI and CISA say TeamViewer is “a legitimate popular tool that has been exploited by cyber actors.” It gives hackers unauthorized control over computer systems in a less suspicious manner.

Another vulnerability existed in the city’s computer systems. Every computer within the plant used the outdated operating system, Windows 7.

Microsoft ended support for Windows 7 in January of 2020. Some users can still buy security updates and patches, but on a limited basis and only until January 2023.

Experts say the technology is obsolete and continued use puts organizations at risk. In an interview with “Cybersecurity Dive,” security researcher John Hammond offered this analogy: “Leaving an outdated, unsupported and overall dead technology running in production isn’t ‘like leaving the door open’ — it’s like there is no door at all.”

Finally, authorities say the city lacked basic protective measures. The computers shared the same password for remote access and connected to the Internet without a firewall in place.

Power industry should pay attention

The FBI and CISA say the Oldsmar attack is a sign of a growing trend. Organizations in the critical infrastructure sector — including electric utilities — should be on high alert.

Gary Kinghorn is a marketing director at Tempered, which specializes in network security. He believes the similarities between water and electric utilities make them equally vulnerable.

“They are both mission critical and there is a chance to do real damage,” he told “Cybersecurity Dive.”

Both utility systems are difficult to maintain, patch and secure, and yet remote access is a necessity. Kinghorn said more people must take the situation seriously. As remote access becomes more commonplace, systems must become more secure.

Organizations must also stop using outdated software. Despite its flaws, Windows 7 is still widely used. By some estimates, roughly 100 million computers use it in the U.S. and twice that world-wide.

It is especially rampant in small- and medium-sized organizations, or those averse to updates. Utilities using the antiquated system leave the infrastructure – and the communities they serve – exposed.

Mitigations available

After the attack, experts offered cyber hygiene measures to help protect critical facilities.

Kinghorn suggested identity-based remote access policies and military grade encryption.

The FBI and CISA urge upgrading outdated operating systems and using multi-factor authentication with strong passwords.

Other recommendations include:

  • Restrict all remote connections to SCADA systems, specifically those that allow physical control and manipulation of devices within the SCADA network.
  • Keep computers, devices, and applications, including SCADA/industrial control systems (ICS) software, patched and up-to-date.
  • Install a firewall software/hardware appliance with logging and ensure it is turned on.
  • Train users to identify and report unusual activity and attempts at social engineering.

Beyond the simple measures, utilities might also consider an investment in cybersecurity tools and technology. After all, electric utilities have a responsibility to maintain a strong electric grid.

Lessons learned

The residents of Oldsmar were lucky. Poor security hygiene left the city’s system and water supply exposed. Had it not been for attentive staff, the story could have had a much different ending.

Security experts say this event is a cautionary tale. The industry should learn from Oldsmar’s mistakes before it’s too late.

Because the next attack is coming, they say, and could be more sophisticated. Electric utilities and other critical infrastructure providers should remain vigilant.

Featured image: Chris Urso/Tampa Bay Times via ZUMA Press, ABC News