I’ve made my feelings about the so-called Internet of things (IoT) abundantly clear over the years. While I won’t dismiss the advantages that come with making devices Internet accessible, I’m put off by industry’s general apathy towards security. This is especially true when critical infrastructure is connected to the Internet. Doing so can leads to stories like this:
Someone broke into the computer system of a water treatment plant in Florida and tried to poison drinking water for a Florida municipality’s roughly 15,000 residents, officials said on Monday.
The intrusion occurred on Friday evening, when an unknown person remotely accessed the computer interface used to adjust the chemicals that treat drinking water for Oldsmar, a small city that’s about 16 miles northwest of Tampa. The intruder changed the level of sodium hydroxide to 11,100 parts per million, a significant increase from the normal amount of 100 ppm, Pinellas County Sheriff Bob Gualtieri said in a Monday morning press conference.
The individuals involved with the water treatment plant have been surprisingly dismissive about this. They’ve pointed out that there was never any danger to the people of Oldsmar because treated water doesn’t hit the supply system for 24 to 36 hours and there procedures in place that would have caught the dangerous levels of sodium hydroxide in the water before it could be release. I believe both claims. I’m certain there are a number of water quality sensors involved in verifying that treated water is safe before it is released into the supply system. However, they’re not mentioning other dangers.
Poisoning isn’t the only danger of this kind of attack. What happens when treated water can’t be released into the supply system? If an attacker poisons some of the treated water, is there isolated surplus that can be released into the supply system instead? If not, this kind of attack is can work as a denial of service against the city’s water supply. What can be done with poisoned water? It can’t be released into the supply system and I doubt environmental regulations will allow it to be dumped into the ground. Even if it could be dumped into the ground, doing so would risk poisoning groundwater supplies. It’s possible that a percentage of the plant’s treatment capacity becomes unavailable for an extended period of time while the poisoned water is purified.
What’s even more concerning is that this attack wasn’t detected by an intrusion detection system. It was detected by dumb luck:
Then, around 1:30 that same day, the operator watched as someone remotely accessed the system again. The operator could see the mouse on his screen being moved to open various functions that controlled the treatment process. The unknown person then opened the function that controls the input of sodium hydroxide and increased it by 111-fold. The intrusion lasted from three to five minutes.
This indicates that the plant’s network security isn’t adequate for the task at hand. Had the operator not been at the console at the time, it’s quite possible that the attacker would have been able to poison the water. There is also a valid question about the user interface. Why does it apparently allow raising the levels of sodium hydroxide to a dangerous amount? If there are valid reasons for doing so (which there absolutely could be), why doesn’t doing so at least require some kind of supervisory approval?
It’s not uncommon for people involved in industries to cite the lack of budget necessary to address the issues I’ve raised. But if there isn’t a sufficient budget to address important security concerns when connecting critical infrastructure to the Internet, I will argue that it shouldn’t be done at all. The risks of introducing remote access to a system aren’t insignificant and the probability of an attack occurring are extremely high.
Whenever somebody discussing connecting a device to the Internet, I immediately ask what benefits doing so will provide. I then ask which of those benefits can be realized with a local automation system. For example, a Nest thermostat offers some convenient features, but many of those features can be realized with a local Home Assistant controller.
I saw this story last night and, well, what you said.
I don’t know much about the remote control software, or if it goes through third party servers or connects directly.
Nothing like that should be sitting directly on the internet. Remote access should only be allowed though a VPN. And it didn’t even require the approval of the person sitting at the machine? So much fail.
Was it a disgruntled employee? Was the password ridiculously obvious? I’m guessing the second one is true.
Sloppy internet access control is just a symptom of overall disastrous security management. No one in the West and elsewhere even recognized COVID until Chinese commies declared it to WHO and publicized virus genetic sequence. Not a small and inconsequential thing to miss. Why to rely on the goodwill of China Communist party for such crucial matters?