We Just Witnessed a Cyber-Physical Attack: Why the Florida Water Treatment Plant Incident Must Force Us Beyond IT-Centric Cybersecurity
The attack on the water treatment facility appears to have been an attempted takeover of the computer system where a hacker gained access and tried to alter sodium hydroxide levels (which treat the water) from 100 parts per million to 11,100 parts per million. The targeted change to chemical delivery was noticed before it executed – avoiding a potential catastrophe to water supplied to the area’s 14,000 residents. If the process had been completed, the increase in levels of sodium hydroxide, also known as lye, could have raised the city’s water to potentially lethal levels.
According to one news outlet, the hacker was able to carry out the attack by compromising a remote access software program named TeamViewer that was installed on a facility computer. TeamViewer allows workers to share screens for troubleshooting and IT issues and fortunately, an employee monitoring the computer noticed and counteracted the hacker’s mouse movement and keystrokes before the attack could be carried out.
Bloomberg Law called it a “wake up call, 20 years in the making,” with experts citing the need for greater protection at the municipal level and increased awareness of cyber incidents to critical infrastructure and control systems.
Businesses Still Work in Silos, But Attackers Don’t
According to The State of Security Convergence in the United States, Europe and India, an ASIS Foundation Convergence Report published in 2019, organizations are often slow to adapt to change unless forced to do so. “Reluctance to converge often centers around people issues,” the report stated. Physical security, IT, and OT personnel are commonly aligned in legacy siloed structures and reluctant to change for fear that convergence will translate into diminished roles. Malicious actors however don’t think this way and ultimately capitalize on these traditional roles working in isolation from each other.
Compounding the problem is the monitoring systems for these functions are seldom integrated, and even more rarely correlated for contextual understanding of an evolving security event. Both people and systems are isolated from each other – the very definition of halfway security.
Critical infrastructure industries continue to ignore the reality that millions of dollars are being spent on these halfway security measures, while breaches continue unabated and threat vectors rise. Current spending on regulatory compliance and network security too often misses a structural vulnerability: security is still imprisoned in corporate silos and needs to break free.
1. The Intelligent Enterprise Needs Intelligent Security
2. The Unavoidable Human Side of Security
Consider the worker who is able to log into enterprise Utility or Energy operational systems without legitimate access or swiping their own access card, but simply by tail-gaiting and following someone into a building. Gaining access to OT systems without badge verification should trigger automated checks and alarms to alert security to investigate a physical breach–innocent or not. HR is a fundamental component of the solution in risk-ready enterprises and critical in effectively managing the workforce, performing as the authoritative source of truth for identity. A converged security technology platform, with a single view of cyber, physical, and operational parameters, delivers a unified and proactive threat response to a wide range of incidents–with real-time data connections across all critical enterprise applications.
3. Insider Threat Protection 2.0
The Way Forward
We’re living in unprecedented times. Attacks to asset-intensive environments such as critical infrastructure and healthcare will continue to rise as malicious actors create new ways to leverage potential vulnerabilities. From COVID-19 to cyberattacks, the threats are many and complex. As security and technology leaders we are compelled to rise and meet the challenge. At AlertEnterprise we believe that only a converged approach, beyond IT-centric cybersecurity, is the way forward.