17-02-2021 | | By Robin Mitchell
Recently, county police in Florida announced in a press statement of a hacking attack against the Oldsmar’s water treatment system. What happened in the incident, what other examples of infrastructure attacks exist, and should infrastructure be connected to networks?
Recently, Florida county police announced in a press statement that a hacker had gained access to the water treatment plant and attempted to change the cleaning compound levels to poisonous levels. In response to the attack, both the Secret Service and FBI are launching an investigation to find the hacker and understand how the attack was accomplished.
The Oldsmar Water Treatment Plant utilises Sodium Hydroxide as a cleaning agent to treat drinking water. Typical concentrations of the compound are set to 100ppm, but the attacker was able to override the control system and set this figure to 11,100ppm. Fortunately, plant operators noticed the sudden change and were able to reset the system back to 100ppm. If left unchanged, many thousands who use the water supply would have experienced a range of different symptoms including vomiting, chest pain, and abdominal pain.
Hackers often attack critical infrastructure, but what makes this incident particularly worrying and unique is that it directly attempts to cause harm people. Until now, hackers typically gain entry into systems for monetary gain or exert power over others via control over private data. However, this hack demonstrates a new form of criminality whereby technologically gifted individuals have crossed a line.
Hackers have been motivated by various factors including greed and sheer boredom. However, a new wave of hackers is being trained by national governments to coordinate an attack on a nations' ability to function thereby giving them an advantage.
Many attacks are announced on media generally pointing fingers at eastern nations such as North Korea, China, and Iran. Still, it is more than likely that most countries around the globe conduct espionage. In fact, most nations most likely attack their own systems to find out where their weaknesses are to be improved.
However, attacks on critical infrastructure such as power and water networks are routinely attacked and can cause real issues for those affected.
One major example was power outages experienced by Ukraine in December 2015. During the attack, power was disconnected to homes and services, disrupting everyday life for over 230,000 people. After an investigation was launched, it was revealed that hackers had used phishing emails to gain entry into the countries power infrastructure, and from there were able to cause chaos. One year after the attack, another attack took place which saw the Pivichna substation disconnect power, and this attack has led some to believe if the attacks are some form of training by a foreign entity.
Another example of critical infrastructure being attacked was the Rye Brook Dam attack in New York. In 2013, hackers (assumed to be from Iran), hacked into dams command-and-control system using only a cellular modem. At the same time, it is unclear what the hackers did (if anything at all), the ability to interfere with a dam's functions can have dire consequences including mass loss of life by either flooding upstream or downstream.
Connecting infrastructure to network systems such as the Internet allows for such systems to be remotely managed and maintained while also allowing multiple systems to work together to create smart systems (such as connecting home meters to a power grid that helps power stations better respond energy demand). Furthermore, connected systems enable operators to react to sudden emergencies such as gas leaks, power line failures, and burst pipes.
However, connecting critical systems to a network that provides public access (via the Internet) gives hackers one of the easiest roots into such a system. If the infrastructure is taken offline, an attacker must be physically located at the infrastructure site to attack it. From there, the attacker will only be able to attack that specific piece of infrastructure.
One country that has recognised this issue is Brazil who is currently developing two 5G networks; one for the general public, and one for the government. While the government network can be attacked by hackers, having the two networks separated allows the government to have a secondary network which it can still communicate over without interference.
Automation can be highly beneficial for infrastructure, but considering the increasing number of cyberattacks, and the dependency of nations on their critical infrastructure, I personally cannot see any need for connecting power, water, gas, and transport to any publicly accessible network. Like edge computing, processing and control should be moved to individual stations that can make decisions independently, and only as a result of plant operators authorising such action.