IT security: when the drinking water supply is hacked – digital


When the unknown hackers carried out their attack on the drinking water supply, the control room of the facility in Oldsmar, Florida, was occupied. It must have been a ghostly scene for the employee present: Without his intervention, the mouse pointer suddenly moved and opened the control system for the water treatment. Anyone on the Internet can see what the system’s surface looks like. A jumble of status messages, green and red lights, names of different pumps. But the attacker apparently found his way around. According to the sheriff of Oldsmar, it only took him three to five minutes to open another panel, then the mouse pointer clicked the proportion of dangerous sodium hydroxide in the water from 0.0001 percent to 0.011 percent, a hundredfold increase. Then the stranger logged off again.

Because the responsible employee of the waterworks could follow every step live on site, it was easy to undo everything immediately. But if the attacker had wanted to really cause damage, then with a little more effort he would probably have managed to manipulate the values ​​undetected. The sheriff of Oldsmar emphasized at a press conference on Monday that it would have taken more than 24 hours for the water to reach consumers. In addition, the increased values ​​would have been noticed later by warning systems. Nevertheless, the shock rests deeply with the local authorities and experts for the security of industrial control systems (ICS).

Civilians could have been injured

Kai Thomsen works for Dragos, an IT security company that, among other things, advises the US government on ICS. “The case worries me very much,” says Thomsen on the phone. One thing is certain: “There is someone who accepts that civilians will be harmed by the action.”

The fact that it was able to come to this, however, is also due to the lack of safety precautions in the facility. The list of errors is long: The water supplier used Teamviewer, a well-known software for remote maintenance, in order to be able to access the control systems from outside. The security authorities in the USA recommend using specially secured devices, or at least adequate protection of the connection. In Oldsmar, on the other hand, there was no firewall, and internet users could apparently access the Teamviewer from anywhere in the world. The password for this was apparently an easy-to-guess standard password. Screenshots of alleged access data leaks are also circulating online.

The rest of the systems weren’t in the best shape either. The computers ran on the 32-bit version of Windows 7, an operating system for which Microsoft has not provided security updates since the beginning of 2020 without a special support contract.

But where did the attackers come from? Former head of the US cybersecurity agency CISA Chris Krebs said in a hearing of the US Congress, he thinks it is likely that it could be a dissatisfied employee. So-called internal perpetrators are responsible for a good number of hacker attacks on companies every year. In Australia, it was a laid-off worker in 2000 who dumped over a million liters of contaminated water into bodies of water.

Vulnerable infrastructure, also in Germany

Other experts consider the internal perpetrator hypothesis to be implausible. “Who is behind this in this case, we may not find out at all,” says ICS expert Kai Thomsen. For example, it is still unclear to what extent the water supplier has log data from the incident. It is anything but certain that an internal perpetrator or a young hacker was at work in Oldsmar. There have been several attacks on critical infrastructures in recent years. In Israel, hackers tried several times in the past year to increase the chlorine content in drinking water. There have been several attacks in Ukraine since 2015 that cut electricity. Since then, there have been incidents with smaller suppliers, including waterworks, says Thomsen.

The security of critical infrastructures is always a cause for discussion in Germany. The Federal Ministry of the Interior is currently planning to introduce new legal requirements for operators of critical systems with the IT Security Act 2.0. However, experts criticize that many of the rules provided there are likely to be ineffective. “Out of 5,000 municipal utilities in Germany, only a maximum of 50 have to meet the new requirements,” says Manuel Atug, one of the spokesmen for AG-Kritis, an NGO that is committed to security in civil infrastructure. This is due to the threshold, which in turn is specified in the Kritis regulation. Accordingly, a supplier must be responsible for 500,000 people before it is considered a critical infrastructure within the meaning of the regulation. There is no doubt that there are industrial control systems in Germany that are susceptible to hacker attacks. “Remote maintenance is always a problem, also in Germany,” says Atug.

Kai Thomsen criticizes the fact that there are hardly any possibilities in Germany to find out what is happening in the networks of the Kritis operators. There is hardly a company that stores the connection data that would be needed to investigate hacker attacks. “They are already further in the USA. At least there is awareness there,” said Thomsen. There are always minor disruptions in power grids or waterworks – also in Germany. These don’t have to be hacker attacks, says Thomsen, but without log files it is impossible to rule them out.

Leave a Reply

Your email address will not be published. Required fields are marked *