This is a very simple rule: do not connect systems that can kill people to the Internet. The electrical grid, natural gas line, water systems and other utilities should not be connected to the Internet. The risk is greater than the benefits.
Oldsmar, Florida learned this the hard way on Friday, February 5th a hacker gained entry to the Remote access software that was running on a machine controlling the water system. The first remote access happened at around 8am and did not raise alarms since multiple people remotely accessed the system. Then at around 1:30 p.m a hacker again accessed the system this time for around 5 minutes and during this session, the hacker changed levels of chemicals in the system.
Pinellas County Sheriff Bob Gualtieri explained “One of the functions opened by the person hacking into the system was one that controls the amount of sodium hydroxide in the water. The hacker changed the sodium hydroxide from about 100 parts per million to 11,100 parts per million. This is obviously a significant and potentially dangerous increase. Sodium hydroxide, also known as lye, is a main ingredient in liquid drain cleaners. It’s also used to control water acidity and remove metals from drinking water in the water treatment plant.”
There were other safeguards in place and the change would have had to have been in place for several days to take effect and the change was immediately undone, so there was not any real danger to Oldsmar water customers. Oldsmar also removed remote access from the machine. It also appears that the remote access software did not have individual accounts, so auditing which user made a change was not an option.
The lesson to learn from this is that machines that are running systems that can kill people should not be connected to the Internet. It is convenient to be able to remotely login to troubleshoot an issue, but it should be a cost-benefit calculation, and allowing remote hackers the opportunity to control a system that is critical should outway the benefit.
The unfortunate aspect of this is that the reason that they probably installed remote access is that they are short-staffed and were trying to do more with less, which means they probably also struggled to keep everything up to date with best practices. It is very easy to relate to the situation that led the staff to make the decision they made. However, it is almost never a good idea to allow remote access to a critical system. Oldsmar was able to remove remote access to the system also immediately, so it appears that there was no compelling reason for the remote access to be there.
If a system has the ability to kill people it should not be connected to the Internet and it should not have remote access software installed on it. It is much easier to secure a physical space than it is to stop all the hackers in the world. By not allowing remote access to a system you can make it necessary to gain physical access, which greatly reduces the risk. If a system does not need to be connected to the Internet then it probably should not be.