We Just Witnessed a Cyber-Physical Attack: Why the Florida Water Treatment Plant Incident Must Force Us Beyond IT-Centric Cybersecurity

March 15, 2022

The recent cyber hack of water treatment plant operations in Oldsmar, FL., is another stark reminder of the growing danger of cyber-physical threats. The move toward converged security of IT, Operational Technology (OT), and Physical Security systems has never been more urgent.

The Incident

The attack on the water treatment facility appears to have been an attempted takeover of the computer system where a hacker gained access and tried to alter sodium hydroxide levels (which treat the water) from 100 parts per million to 11,100 parts per million. The targeted change to chemical delivery was noticed before it executed – avoiding a potential catastrophe to water supplied to the area’s 14,000 residents. If the process had been completed, the increase in levels of sodium hydroxide, also known as lye, could have raised the city’s water to potentially lethal levels.

According to one news outlet, the hacker was able to carry out the attack by compromising a remote access software program named TeamViewer that was installed on a facility computer. TeamViewer allows workers to share screens for troubleshooting and IT issues and fortunately, an employee monitoring the computer noticed and counteracted the hacker’s mouse movement and keystrokes before the attack could be carried out.

Bloomberg Law called it a “wake up call, 20 years in the making,” with experts citing the need for greater protection at the municipal level and increased awareness of cyber incidents to critical infrastructure and control systems.

Businesses Still Work in Silos, But Attackers Don’t

According to The State of Security Convergence in the United States, Europe and India, an ASIS Foundation Convergence Report published in 2019, organizations are often slow to adapt to change unless forced to do so. “Reluctance to converge often centers around people issues,” the report stated. Physical security, IT, and OT personnel are commonly aligned in legacy siloed structures and reluctant to change for fear that convergence will translate into diminished roles. Malicious actors however don’t think this way and ultimately capitalize on these traditional roles working in isolation from each other.

Compounding the problem is the monitoring systems for these functions are seldom integrated, and even more rarely correlated for contextual understanding of an evolving security event. Both people and systems are isolated from each other – the very definition of halfway security.

Critical infrastructure industries continue to ignore the reality that millions of dollars are being spent on these halfway security measures, while breaches continue unabated and threat vectors rise. Current spending on regulatory compliance and network security too often misses a structural vulnerability: security is still imprisoned in corporate silos and needs to break free.

Three Recommendations

1. The Intelligent Enterprise Needs Intelligent Security

The altered and ever-changing threat landscape requires a mind-shift focusing on security convergence. Facing new and emerging threats requires intelligent platforms that can effectively converge applications and leverage big data, machine learning, and predictive analytics across OT, IT, and Physical Security environments.

2. The Unavoidable Human Side of Security

At the center of converged security is people, identity, and trust. Remote work and remote accessibility have skyrocketed during the pandemic and the growing consensus is that the future of many businesses will include a significant remote workforce. But do you know who is handling your critical infrastructure operations?

Consider the worker who is able to log into enterprise Utility or Energy operational systems without legitimate access or swiping their own access card, but simply by tail-gaiting and following someone into a building. Gaining access to OT systems without badge verification should trigger automated checks and alarms to alert security to investigate a physical breach–innocent or not. HR is a fundamental component of the solution in risk-ready enterprises and critical in effectively managing the workforce, performing as the authoritative source of truth for identity. A converged security technology platform, with a single view of cyber, physical, and operational parameters, delivers a unified and proactive threat response to a wide range of incidents–with real-time data connections across all critical enterprise applications.

3. Insider Threat Protection 2.0

Unified security awareness and AI-powered situational intelligence offers a centralized view of complex threats across cyber, physical and operational domains, while automated workflows prioritize response based on risk and criticality. Real-time data turns into insights and action with AI identity intelligence, further consolidating information to correlate threats for informed decision making.

The Way Forward

In a September 2020 press release, Gartner predicted that by 2024, liability for cyber-physical security incidents will “pierce the corporate veil to personal liability” for 75% of CEOs. In response, “Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure the CPS, drastically increasing rules and regulations governing them,” said Katell Thielemann, research vice president at Gartner. “Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies.”

We’re living in unprecedented times. Attacks to asset-intensive environments such as critical infrastructure and healthcare will continue to rise as malicious actors create new ways to leverage potential vulnerabilities. From COVID-19 to cyberattacks, the threats are many and complex. As security and technology leaders we are compelled to rise and meet the challenge. At Alert Enterprise we believe that only a converged approach, beyond IT-centric cybersecurity, is the way forward.