The vulnerability of our critical infrastructure to hacking attacks is in the spotlight again. This time, someone remotely accessed a computer used to control certain processes at the City of Oldsmar, Florida’s water treatment facility. As of the writing of this post, details are still emerging, but in short, after accessing the system, the hacker briefly increased the amount of sodium hydroxide, also known as lye, being added to the water to adjust pH, by a factor of more than 100. This could have had significant health consequences for residents, which were avoided thanks to a quick reaction by the water operator on staff, who saw the intrusion happening and took immediate action to reverse the increase.
ARE YOU OPEN TO THE SAME VULNERABILITY AS OLDSMAR?
The specific vulnerability that allowed someone illicit access to Oldsmar’s system is believed to be associated with TeamViewer, a remote access technology the facility was using to allow operators and supervisors to check in on the treatment process. If you are using this specific program, it would be wise to disable it until a safer alternative can be found. There are more secure options that can be implemented, and if you need support in identifying one for your facilities, please reach out.
The landscape of cybersecurity risks is large, complex, and shifting. That’s why we implement robust security in every system we design. Our approach covers a wide range of potential vulnerabilities, thanks to a set of standards we apply to the systems we build.
The Woodard & Curran SCADA cybersecurity standard
As a baseline, it is important to make sure that all operating systems and installed software is current and patched with the latest security updates. Two-factor authentication and strong passwords should be used throughout your systems, and firewalls should be installed to protect your networks and devices. When designing treatment system SCADA installations, we
- Include stringent user credential controls to assure users that are accessing the system have the appropriate authority and skill level to perform certain control actions, such as modifying process setpoints.
- Program input range limitations so that operator inputs that are out of range will be flagged or not permitted.
- Include process control functions that monitor process variables and automatically adjusts the output as required.
- Include process monitoring functions that provide operator notifications and alarms when there are process upsets or the process is out of control.
- Include remote alarm notification capability to on-call operations staff 24/7/365.
- Strongly recommend that process equipment itself is sized such that even if an outrageous input was requested as in the Oldsmar case, the equipment would be unable to deliver.
If this raises larger questions about the security of your systems, a targeted vulnerability assessment is a good idea. These can typically be executed quickly and should be based on cybersecurity practices and standards set by leading authorities and experts, such as Instrument Society of America (ISA), National Institute of Standards and Technology (NIST), and the Department of Homeland Security (DHS). The assessment yields a prioritized set of recommendations for fixes, upgrades, or other mitigation measures. Some fixes can even be implemented as they are discovered. If you believe your utility or facility needs this kind of review, please contact us!