On Monday, February 8, 2021, Sheriff Bob Gualtieri gave a press conference surrounding the unlawful intrusion to the City of Oldsmar's water treatment system. He was joined by Mayor Eric Seidel and City Manager Al Braithwaite.
During the press conference, Sherriff Gualtieri laid out the sequence of events:
On Friday, February 5th at approximately 8:00 AM ET, an operator at a water treatment plant noticed someone remotely accessing the control system Human Machine Interface (HMI).
The operator was aware that his supervisor and other users routinely used remote access to view the HMI screen, so he did not report the incident.
On the same day at approximately 1:30 PM ET, the operator noticed a user was again remotely accessing the HMI. This time the user navigated through various screens and eventually modified the set point for Sodium Hydroxide (Lye) to a level that is toxic to humans.
The remote user logged off and the operator immediately reset the Sodium Hydroxide level back to normal. He then disabled remote access and reported the incident to the City and to local and state law enforcement.
The investigation is still underway, and the culprit, and their intentions, are still unclear. The most likely options range from (1) an authorized user who made a change in error, (2) a disgruntled former employee or contractor, (3) or a random hacker who discovered the system was accessible from the internet. Other, less likely, options that should not be discounted are organized crime syndicates or nation states.
Mission Critical Global Alliance (MCGA), along with other organizations and individuals, has been involved in raising awareness of the risk of a cybersecurity incident to our nation’s critical infrastructure for many years. This incident is precisely the scenario that has been anticipated. It is fortunate that the City of Oldsmar operator was sufficiently observant and aware to take immediate action to prevent catastrophic consequences. The City should be commended for being open and transparent about the incident. It is only through proactive information sharing that we can manage the cybersecurity threat to our critical infrastructure.
There are over 145,000 active public water systems in the United States (including territories). Of these, 97% are considered small systems under the Safe Drinking Water Act, meaning they serve 10,000 or fewer people. Systems of the size of City of Oldsmar (15,000 population) have limited resources to manage the threat to their operations. We collectively need to help such systems as the impact to them affects us all.
MCGA recommends that other public water systems immediately review their remote access capabilities, from a people, process, and technology perspective:
People – Train everyone to anticipate a cybersecurity incident and know how to respond.
Process – Remove unlimited access, and restrict to specific individuals, from specific machines and locations, at specific times. Ensure that operators on site are aware when someone is using remote access.
Technology – Implement secure architectures and use secure software solutions. Avoid free software. Remove unnecessary software from control system workstations and servers to limit exposure to other vulnerabilities.
If in doubt, remove all remote access. Even with so called air-gapped machines or systems, water systems are not immune to the effects of a cybersecurity incident. The use of uncontrolled removable media, indirect access via other systems, and the potential for attack by a disgruntled insider all continue to exist in an isolated scenario.
Training and awareness are key to improving a water system’s cybersecurity posture. Employees should learn about system concepts, standards, technology, operations, safety and physical security, risk management, and emergency response preparedness. With better awareness and knowledge, a water system can prepare its people, update its processes, and manage its technology.