Cyberattacks like the one on a Florida water plant are a threat to us all. Here’s why critical infrastructure must be secured.
In early February a water treatment facility in the USA was targeted in a cyberattack. An attacker was able to remotely access the plant, in Oldsmar, western Florida, and attempted to increase the amount of sodium hydroxide in the water to 100-times the normal level. The change would have been lethal had it succeeded but it was spotted by a supervisor and cancelled. Even if it hadn’t been, other safety controls in the system would have prevented poisoned water from being released into the system.
That doesn’t mean we can treat the attack as an isolated incident and forget it. It highlights several problems with global ramifications. First, critical infrastructure facilities like water plants, power stations and road management are often insufficiently secured against cyberattack. Second, these attacks are not always reported, which limits the opportunities to learn from them. And third, infrastructure attacks represent a grave threat to everyone’s health, wellbeing and safety, but the global response to the threat does not yet match the risk.
A growing threat
The Oldsmar attacker appears to have used access credentials which were posted online in 2017, together with remote access software TeamViewer to gain access to the control systems. Security expert Brian Krebs points out that, though some people were critical of the plant for using TeamViewer, many public facilities enable remote access from a public-facing website, which is an even greater risk.
Mr Krebs also notes that it is unusual for an attack like this to be publicised. There are many infrastructure attacks that we never hear about, because in many parts of the world there is no obligation to disclose them. It’s often argued that revealing details of the attack might encourage others. But the downside is that we are far less aware of the risks than we should be.
In 2015, a massive coordinated attack on Ukraine’s power grid left hundreds of thousands of people without power for hours. It was the first known successful cyberattack on a power grid anywhere in the world. Whoever carried it out, says security specialist Robert M Lee, was able to deploy a “well-funded, well-trained team”.
Cyberattacks on Ukraine have continued and infrastructure attacks have become more common elsewhere. Last year, the Israel National Cyber-Directorate and the Water Authority told treatment facilities to change the passwords on internet-facing equipment after cyberattacks on Israeli water facilities.
A wake-up call
It’s likely that there are other attacks of a similar nature that we might never know about. The victims are not soldiers or military personnel, but innocent people who depend on water and electricity to live their lives. The Geneva Protocols prohibit the use of chemical and biological weapons. Poisoning a water supply is hardly any different, and sabotaging electricity supplies can also have life-threatening consequences.
Attacks on critical infrastructure don’t just threaten public health and safety, but also have an economic and social impact. We rely on ICTs more and more in the modern world, which magnifies the risk.
We need these kinds of attacks to become as unacceptable as any other aggression against civilian populations. We need a human-centric approach to cyber security that prioritises the needs of vulnerable communities.
But we also have to do a better job at securing infrastructure. Training will be essential but that alone won’t be enough. It will take investment in security systems that match the true level of risk. And we need a commitment to due diligence to protect critical civilian infrastructure and promote accountability.
The Oldsmar attack was most likely simple vandalism and it was never likely to succeed beyond spreading fear and uncertainty in the community. However, a more determined attacker might have done significant damage – and even taken lives. This should be a wake-up call to all of us in cyberspace – from governments and utilities operators, to customers and citizens.
© Copyright: The concepts and information contained in this document are the property of the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva, unless indicated otherwise from time to time throughout the document. This document may be reproduced, in whole or in part, provided that the CyberPeace Institute is referenced as author and copyright holder.