What can Municipalities do to better protect water systems from hackers?
Recently, an unknown person violated the electronic systems of the drinking water treatment plant in Oldsmar, Florida (USA) and tried to poison the city's water supply by changing the levels of sodium hydroxide.
There are concerns about possible similar future cyberattacks against other poorly protected water treatment systems in small towns around the world and what can be done to prevent such attacks. attacks.
In the case of Florida, cybercriminals used remote access tools to invade and alter the levels of chemicals in the water supply, raising them to potentially dangerous levels.
This is worrying, among other things, because it is not a blind attack but a targeted attack that takes time to plan and carry out. And while this incident was not an exploited attack zero-day vulnerabilities, chances are someone had their eye on the target for quite some time.
Future attacks against other Municipalities are expected. Most likely, another attack will be carried out with procedures applied to Ransomware type attacks.
So what can small towns do?
According to Cameron Camp, Security Researcher at leading cybersecurity company ESET, small towns should take the time to understand and implement the guidelines that are already available, which can be as simple ascase control two-factor authentication (2FA), h information systems, training staff in correct security practices, and implementing proper change control procedures (according to media reports, TeamViewer had been replaced as a remote access solution at this particular water treatment plant, yet it remained in operation, exposing the factory on the Internet through a non-required interface).
The ESET researcher also suggests that small town water utilities do a simulation exercise for a hypothetical breach of their electronic systems and then seek the solution by trying to "think like hackers".
In fact, Cameron Camp is urging water utilities to conduct a simulation exercise in the event of a ransomware attack. That way, small towns will not have to explain to their citizens why they spent public money to stop an attack that could have been prevented from the start.
