Cyber attackers began attacking drinking water networks after industrial facilities, hospitals and public institutions.
In the city of Oldsmar in Florida, the United States, a hacker infiltrated the water supply network that supplied the public with drinking water and attempted to poison the water, prompting security experts. This attack, which was scrutinized by the Cyber Security organization ESET, once again revealed how important cyber security is for public health.
After the cyber attack on the water network in the US last week, police officials stated in their statement that measures were taken before there was a danger to public health. An informatics expert working in the water network realized that the amount of sodium hydroxide in the water was increased 100 times in the remotely controlled treatment system, contributing to the prevention of a very dangerous situation in time.
What can municipalities do to better protect their water supply systems?
Even if the cyber attack in Florida is not successful, it shows that drinking water networks that are not well protected and do not take adequate precautions are at risk. ESET examined what can be done regarding this issue, which directly concerns public health. Experts underlined that the attack was targeted, stating that criminals used remote access devices to change chemical levels in the water supply. While this incident is not an insidious zero-day attack, they have long emphasized the possibility that the malicious person or persons were dealing with the target.
How such an attack is carried out
Hackers seem to have specific knowledge of water treatment and management systems or work on it for a long time. First, the attackers set the target, gather information and create a plan. Once accessed, they investigate the network for control systems that directly interact with the water treatment process. After determining the potential attack area, they focus on how to damage them by carrying out detailed and targeted studies.
What should local governments and municipalities do?
This incident in Florida has drawn attention to the possibility of cyber attacks on places that will directly affect public health in the near future. ESET Cyber Security Experts underlined that all governments and municipalities, regardless of whether they are small or large, should plan for such attacks on drinking water networks or water treatment facilities, and made the following recommendations;
- Always be prepared for possible cyber attacks
- Cyber security experts working in these units should think like a hacker and determine the ways to prevent malicious people from entering the system and make plans.
- Employees must be informed and trained on cyber attacks
- Managements should take 2FA (Double Factor Protection) applications into effect
- Technical experts should carefully follow the patch application
- Existing structure and control processes should be over and over again.
- Considering that there may be a violation or cyber attack, planning and subsequent exercises should be made.