(by Andrea Pinto) Even the management of aqueducts over the years has passed from analog to digital systems. An innovative way to ensure the continuous control of water purity and save resources to pay employees who over time have had to leave their jobs in favor of a few more specialized units with a higher level of education. Results? There were no more substantial inconveniences in the supply of water supplies and it was possible to intervene in time at the slightest sign of impurity of the precious resource. The Washington Post dealt with the topic, however, relating a vulnerability of modern aqueducts.
At the beginning of February someone tried to to poison the water supply in the city of Oldmar, on the Gulf Coast in Florida.
According to the Pinellas County Sheriff, a hacker managed to remotely access the Oldsmar water treatment plant network increasing the amount of sodium hydroxide in the water by 100 times, enough to cause death or cause serious injury to unsuspecting citizens.
Fortunately, a specialized technician noticed the anomaly and managed to deflect the hacker out of the network before he carried out his attack. What has happened shows that the modern aqueduct, even if today it is more connected than ever, is nevertheless vulnerable to cyber attacks.
In power plants, aqueducts, and all kinds of utilities, computers connect to process controllers to spin turbines, rotate robotic arms, or, in this case, open valves to release sodium hydroxide. These national strategic structures to guarantee the quality of their final products, however, often have to leave the internal network to exchange data and analyzes with external bodies via the commercial web network.
In fact, attackers gain access to critical infrastructure systems when company devices are connected to the commercial internet network or when a network administrator suffers a computer scam through "spear phishing".
Oldsmar was not the first cyber attack on water infrastructure. In April 2020 the National Cyber Directorate Israeli urged all water treatment companies to change their passwords on critical systems. In 2016, according to a report from the security unit of Verizon, hackers with ties to the Syria they got access to a water service in an unknown country and managed to "hamper water treatment and production capacities".
However, what happened to the Oldsmar aqueduct reassures insiders because the anomaly was quickly identified already in the initial phase of the attack. The experts, however, reassure that the redundancy of the systems would have revealed the malicious attempt before the delivery of the supply.
Plant operator became suspicious when his mouse arrow moved by itself and made changes to critical water treatment processes. But what if the operator doesn't have the benefit of a visual aid to observe the hacker in real time? What if the human-machine interface was manipulated by malware to signal "all right" as the hackers increased the sodium hydroxide concentration to lethal levels? Would the breach have been detected before anyone drank or bathed in the corrosive adulterated water? Aqueduct managers told the media: "Luckily there are sensors for detecting toxic water during general pipelines. These sensors are connected in such a way as to continuously communicate and transmit data and surveys to allow the operators of the plant to take preventive actions."
This time we can say that the bad guys did not succeed, the important thing is that we must not let our guard down and take the case of the Odsmare aqueduct as a lesson learned to implement the safety devices to defend our national critical structures.