Science and technology

Florida water treatment hack reveals long-ignored vulnerabilities in America's infrastructure

ASU cybersecurity expert explains what happened

Florida water treatment hack
By Terry Grant |
February 10, 2021

Hackers were able to remotely access the water treatment plant in the small town of Oldsmar, Florida, last week – endangering the lives of about 15,000 people in the Tampa Bay area by briefly increasing the amount of sodium hydroxide (lye) released into the system.

Thwarted before the hack could cause any harm, the incident exposed the hackable vulnerabilities that remain unchecked in America’s aging infrastructure.

“The implication – that all infrastructure, even apparently physical infrastructure like water, is subject to cyberattack – means that we need to figure out how to get cybersecurity into civil and environmental engineering education,” said Braden Allenby, an Arizona State University environmental engineer who studies sustainable engineering. “Our graduates should be aware of the cybersecurity dimensions of their craft and understand enough to ensure the experts put in that security.”

While the perpetrators of the Florida attack have not yet been identified, Paulo Shakarian, an Arizona State University cybersecurity expert and researcher for the Global Security Initiative, suspects it was a national adversary and not a bad actor motivated by a ransom or payout.

Shakarian also is the CEO and co-founder of ASU spinout company CYR3CON, which uses machine learning technology to predict exploits before hackers use them. CYR3CON’s customer base includes Fortune 500 companies and financial institutions. His expertise includes working with businesses and municipalities to avoid attacks like the water system in Oldsmar, the December’s U.S. Treasury and Sunburst hacks, and North Korea recently duping cybersecurity experts into downloading malicious code earlier this month.

Shakarian answered questions for ASU Now about the Florida water system hack.

Question: How did hackers attempt to poison the water supply in Oldsmar, Florida?

Answer: Hackers obtained remote access to a workstation running the TeamViewer software, attempting to increase the amount of lye in the water, which can be poisonous if consumed in great enough quantities. The employee saw the attack take place as the hacker gained control of the computer through the TeamViewer software.

Q: Have cyberattacks been attempted against water treatment plants in the past?

A: There have been several documented cases where water treatment facilities have been targeted through hacking. Perhaps the first was over two decades ago when a disgruntled employee at Maroochy Shire (Australia) took control of 142 pumping stations for three months and released more than 1 million liters of sewage into local waterways.

Other attacks against infrastructure in more recent years include a 2013 attack against a New York dam facility, a series of Russian attacks against Ukrainian electrical infrastructure in 2015, and perhaps one of the most famous infrastructure attacks, the 2010 Stuxnet attack against Iranian nuclear facilities at Natanz.

Q: How were the hackers able to remotely access the water treatment system?

A: The computer controlling the Oldsmar system was connected to the internet. This differs from some previous attacks like Maroochy Bay and Stuxnet, where the systems were isolated from the internet. In some ways, internet connection makes things easier for the attackers.

Q: How was the TeamViewer software compromised in the attack?

A: It is not clear precisely how TeamViewer was compromised — as the city of Oldsmar did not release those details yet. While it is possible the hackers used brute-force methods to crack the login, a more likely scenario is they exploited a software vulnerability. For example, a 2019 software vulnerability for certain versions of TeamViewer allows hackers to bypass access control mechanisms. Using CYR3CON technology originally seeded at ASU, we have seen hacker discussions on this vulnerability in early-mid 2020 that included release of hacker tools to exploit it. There are other potential vulnerabilities that could have been used in the attack as well.

Q: Who was behind the attack and how will investigators draw those conclusions?

A: No official statement has been made as to potential culprits, though in most cases infrastructure attacks are attributed to nation states. The reason for this is simple — criminal hackers will likely earn more money from noninfrastructure attacks. 

Security researchers will examine the tactics, techniques and procedures (TTPs) used by the hackers in the attack closely to find similarities with previous attacks, as was done in the December SolarWinds incidents, to identify likely perpetrators.

Q: What can organizations do to better protect critical infrastructure from cyberattacks?

A: Critical infrastructure is inherently difficult to defend because organizations have operational requirements and challenges. For example, it is usually not possible to shut down a water treatment facility for extended periods in order to update computer systems on a regular basis. 

Additionally, industrial hardware typically has a much longer lifespan than the associated software. To avoid the expense of replacing expensive hardware, maintenance protocols often are slow to address software that has become vulnerable to exploitation by hackers.

Key to resolving these issues is for owners of critical infrastructure to not only keep track of the evolving technology that runs these industrial systems, but also to remain aware as new threats relevant to those systems appear — and be prepared to invest in the necessary tools to protect them.

Top photo courtesy of Pexels.

National security School of Computing and Augmented Intelligence Faculty Tempe campus School of Sustainable Engineering and the Built Environment Engineering Science and technology Prospective student Technology Alumni Community Student Global Security Initiative Ira A. Fulton Schools of Engineering Cybersecurity

More Science and technology

 

Two gloved fingers holding a bullet

Glass powder may be magic bullet in solving crimes

Using shattered glass to glean clues from a crime scene is nothing new.Broken pieces of glass can indicate where a criminal was standing, the angle of a bullet’s trajectory and, in the case of a…

Read more
Forensic science Research
Three men sit at a table in front of a display screen

Opportunities in ASU-Mexico partnership equip talent for North American microelectronics jobs

One country can’t accomplish it all when it comes to the semiconductor or microelectronics sector. While Arizona is a rapidly expanding hub for revitalizing the industry in the United States,…

Read more
Mexico Microelectronics International Politics
Students sitting on stairs, one holding a cell phone.

AI-powered educational experiences underway at ASU

An AI-generated patient on which to practice behavioral health techniques.An on-demand study buddy to help with language learning.An AI simulation that allows you to debate with some of the world’s…

Read more
Artificial intelligence Writing and rhetorics Education Humanities

Pagination

  • Prev
  • Page 1
  • Page 2
  • Page 3
  • Current page 4
Arizona State University.
ASU News

Contact ASU News

Manage subscriptions

ASU News
Media Relations Science and Technology Arts, Humanities and Education Business and Entrepreneurship Health and Medicine Environment and Sustainability Law, Journalism and Politics Local, National and Global Affairs Sun Devil Community University News
University
Admissions Financial Aid President's Office About ASU ASU Home Emergency
Events
ASU Events Athletics
Maps and Locations Jobs Directory Contact ASU My ASU
Repeatedly ranked #1 in innovation (ASU ahead of MIT and Stanford), sustainability (ASU ahead of Stanford and UC Berkeley), and global impact (ASU ahead of MIT and Penn State)
Copyright and Trademark Accessibility Privacy Terms of Use Emergency