Misplaced expectations securing water treatment systems
The cyber attack that tried to poison the drinking water system in Oldsmar, Florida is similar to last year’s attack on small water systems in Israel.
Both attacks tried to tamper with water treatment facilities to produce drinking water containing dangerous amounts of chemicals. These chemicals are normally used in microscopic amounts to reduce pathogens, minerals or other contaminants, but are dangerous in large quantities. Both attacks targeted small, poorly-defended water utilities.
Many owners and operators of critical infrastructures have the mistaken idea that “the government will save us” from the worst kinds of cyber attacks. This sentiment is particularly widespread among the large number of very small water, power and natural gas utilities. The sentiment is, however, mistaken.
While the Oldsmar attack is still new and under investigation, the investigation on last year’s Israeli attacks is complete. A high-level comment from one of the investigators of the Israeli attack is telling: “These attacks got as close as they did to succeeding for one reason – the targeted utilities did not apply the [Israeli] government recommended security controls.”
The lesson is simple – the government cannot save us from some kinds of attacks. Many of the world’s governments have powerful industrial cybersecurity programs that can help owners and operators with threat assessments, information sharing, personnel background checks, training and awareness, and sometimes even intrusion detection and incident response. The problem, though, is that some attacks move faster than any of the government’s programs can react. The only way to prevent the consequences of these attacks is for the utilities themselves to deploy and use effective cyber defenses.
In most of the world, government advice for critical infrastructure cybersecurity is focused on the very largest of targets. There are exceptions. French and Israeli advice is more pointed – in their guidance, industrial control system with the potential to injure or kill dozens or more people in a cyber attack deserves the highest level of cyber defense.
When compromised, small water systems can easily sicken hundreds and kill dozens or more citizens in affected communities. These systems cannot wait for the government to protect them – no government is able to protect individual sites against these kinds of attacks. Small water systems must act now to protect themselves and their consumers.
The good news is that robust protection for small systems does not need to be expensive. At Waterfall, we work with both Israel’s and the world’s most secure industrial sites – everything from small water systems to nuclear generators. For some months now, Waterfall has been working on preparing a document with advice for small water systems, and last week’s events in Florida will accelerate that work.
In the meantime, the clearest description first principles and practices for robust industrial security is still the Secure Operations Technology textbook, which Waterfall continues to provide for free, as a public service, to qualified practitioners.