February 10, 2021

ASU cybersecurity expert explains what happened

Hackers were able to remotely access the water treatment plant in the small town of Oldsmar, Florida, last week – endangering the lives of about 15,000 people in the Tampa Bay area by briefly increasing the amount of sodium hydroxide (lye) released into the system.

Thwarted before the hack could cause any harm, the incident exposed the hackable vulnerabilities that remain unchecked in America’s aging infrastructure.

“The implication – that all infrastructure, even apparently physical infrastructure like water, is subject to cyberattack – means that we need to figure out how to get cybersecurity into civil and environmental engineering education,” said Braden Allenby, an Arizona State University environmental engineer who studies sustainable engineering. “Our graduates should be aware of the cybersecurity dimensions of their craft and understand enough to ensure the experts put in that security.”

While the perpetrators of the Florida attack have not yet been identified, Paulo Shakarian, an Arizona State University cybersecurity expert and researcher for the Global Security Initiative, suspects it was a national adversary and not a bad actor motivated by a ransom or payout.

Shakarian also is the CEO and co-founder of ASU spinout company CYR3CON, which uses machine learning technology to predict exploits before hackers use them. CYR3CON’s customer base includes Fortune 500 companies and financial institutions. His expertise includes working with businesses and municipalities to avoid attacks like the water system in Oldsmar, the December’s U.S. Treasury and Sunburst hacks, and North Korea recently duping cybersecurity experts into downloading malicious code earlier this month.

Shakarian answered questions for ASU Now about the Florida water system hack.

Question: How did hackers attempt to poison the water supply in Oldsmar, Florida?

Answer: Hackers obtained remote access to a workstation running the TeamViewer software, attempting to increase the amount of lye in the water, which can be poisonous if consumed in great enough quantities. The employee saw the attack take place as the hacker gained control of the computer through the TeamViewer software.

Q: Have cyberattacks been attempted against water treatment plants in the past?

A: There have been several documented cases where water treatment facilities have been targeted through hacking. Perhaps the first was over two decades ago when a disgruntled employee at Maroochy Shire (Australia) took control of 142 pumping stations for three months and released more than 1 million liters of sewage into local waterways.

Other attacks against infrastructure in more recent years include a 2013 attack against a New York dam facility, a series of Russian attacks against Ukrainian electrical infrastructure in 2015, and perhaps one of the most famous infrastructure attacks, the 2010 Stuxnet attack against Iranian nuclear facilities at Natanz.

Q: How were the hackers able to remotely access the water treatment system?

A: The computer controlling the Oldsmar system was connected to the internet. This differs from some previous attacks like Maroochy Bay and Stuxnet, where the systems were isolated from the internet. In some ways, internet connection makes things easier for the attackers.

Q: How was the TeamViewer software compromised in the attack?

A: It is not clear precisely how TeamViewer was compromised — as the city of Oldsmar did not release those details yet. While it is possible the hackers used brute-force methods to crack the login, a more likely scenario is they exploited a software vulnerability. For example, a 2019 software vulnerability for certain versions of TeamViewer allows hackers to bypass access control mechanisms. Using CYR3CON technology originally seeded at ASU, we have seen hacker discussions on this vulnerability in early-mid 2020 that included release of hacker tools to exploit it. There are other potential vulnerabilities that could have been used in the attack as well.

Q: Who was behind the attack and how will investigators draw those conclusions?

A: No official statement has been made as to potential culprits, though in most cases infrastructure attacks are attributed to nation states. The reason for this is simple — criminal hackers will likely earn more money from noninfrastructure attacks. 

Security researchers will examine the tactics, techniques and procedures (TTPs) used by the hackers in the attack closely to find similarities with previous attacks, as was done in the December SolarWinds incidents, to identify likely perpetrators.

Q: What can organizations do to better protect critical infrastructure from cyberattacks?

A: Critical infrastructure is inherently difficult to defend because organizations have operational requirements and challenges. For example, it is usually not possible to shut down a water treatment facility for extended periods in order to update computer systems on a regular basis. 

Additionally, industrial hardware typically has a much longer lifespan than the associated software. To avoid the expense of replacing expensive hardware, maintenance protocols often are slow to address software that has become vulnerable to exploitation by hackers.

Key to resolving these issues is for owners of critical infrastructure to not only keep track of the evolving technology that runs these industrial systems, but also to remain aware as new threats relevant to those systems appear — and be prepared to invest in the necessary tools to protect them.

Top photo courtesy of Pexels.

Terry Grant

Media Relations Officer , Media Relations and Strategic Communications

520-907-2248