What can Municipalities do to better protect water systems from hackers?
Recently, an unknown person violated the electronic systems of the drinking water treatment plant in Oldsmar, Florida (USA) and tried to poison the city's water supply by changing the levels of sodium hydroxide.
There are concerns about possible future cyber-attacks against other, under-protected water treatment systems in small towns around the world and what can be done to prevent such attacks.
In the case of Florida, cybercriminals used remote access tools to invade and alter the levels of chemicals in the water supply, raising them to potentially dangerous levels.
This is worrying, among other things, because it is not a blind attack but a targeted attack that takes time to plan and implement. And while this incident was not an attack taking advantage of zero-day vulnerabilities, chances are someone had been eyeing the target for quite some time.
Future attacks against other Municipalities are expected. Most likely, another attack will be carried out with procedures applied to Ransomware type attacks.
So what can small towns do?
According to Cameron Camp, Security Researcher at leading cybersecurity company ESET, small towns should take the time to understand and implement the guidelines that are already available, and which can be as simple as adding authentication (2FA), updating systems, training staff in proper safety practices, and implementing proper change control procedures (according to media reports, TeamViewer had been replaced as a remote access solution to this water treatment plant, despite all this remained in operation, exposing the factory to the Internet via an unnecessary interface).
The ESET researcher also suggests that small town water utilities do a simulation exercise for a hypothetical breach of their electronic systems and then seek the solution by trying to "think like hackers".
In fact, Cameron Camp is urging water utilities to conduct a simulation exercise in the event of a ransomware attack. That way, small towns will not have to explain to their citizens why they spent public money to stop an attack that could have been prevented from the start.