Power Plant Hack Could Have Killed Many Because Of Lax IT Security

Earlier this week, a hack came to light that was quite scary now that more details are coming to light. Here’s the facts:

  • A water treatment facility in Oldsmar, Florida, home to 15,000 people was hacked by a unknown party.
  • The unknown party got in via the facilities use of an unsupported version of Windows with no firewall and shared the same TeamViewer password among its employees. This computer controlled equipment inside the plant.
  • The unknown party increased the amount of sodium hydroxide, A.K.A. lye, by a factor of 100. Which could have killed anyone who drank it.

Clearly this isn’t a trivial event. And it clearly was preventable. I reached out to two people to get their views on this incident. The first being Mieng Lim, VP of product management at Digital Defense, Inc., (www.digitaldefense.com), a provider of vulnerability management and threat assessment solutions:

The incident at the Oldsmar, Florida water treatment plant is a reminder that our nation’s critical infrastructure is continually at risk; not only from nation-state attackers, but also from malicious actors with unknown motives and goals. Our dependency on critical infrastructure – power grids, utilities, water supplies, communications, financial services, emergency services, etc. – on a daily basis emphasizes the need to ensure the systems are defended against any adversary. Proactive security measures are crucial to safeguard critical infrastructure systems when perimeter defenses have been compromised or circumvented. We have to get back to the basics – re-evaluate and rebuild security protections from the ground up.

The second person that I talked to was Chris Hickman, chief security officer at digital identity security vendor Keyfactor (www.keyfactor.com):

This event reinforces the increasing need to authenticate not only users, but the devices and machine identities that are authorized to connect to an organization’s network. If your only line of protection is user authentication, it will be compromised. It’s not necessarily about who connects to the system, but what that user can access once they’re inside. If the network could have authenticated the validity of the device connecting to the network, the connection would’ve failed because hackers rarely have possession of authorized devices. This and other cases of highjacked user credentials can be limited or mitigated if devices are issued strong, crypto-derived, unique credentials like a digital certificate. In this case, it looks like the network had trust in the user credential but not in the validity of the device itself. Unfortunately, this kind of scenario is what can happen when zero trust is your end state, not your beginning point.

Clearly this incident highlights the fact that those who are responsible critical infrastructure need to up their game when it comes to security. Otherwise the next time this happens, and there will be a next time, people could die.

Leave a Reply

%d bloggers like this: