I bet few people had heard of Oldsmar, Florida before 2021. That all changed in February when the city made headlines. The reason? An Internet of Things (IoT) security incident moved into the physical world.
A history of elevated bleach levels
A 8 a.m. local time On February 5, 2021, an operator at the Oldsmar Water Treatment Plant noticed that someone had remotely hacked into the computer system he was observing and took control of his mouse. The attacker used his control to change the amount of sodium hydroxide in the water from 100 parts per million to 11,000, a potentially dangerous level of bleach. If consumed, this cyber-physical attack could have caused vision loss, pain, and shock, among other symptoms.
The water treatment plant had protections that would have corrected the change in time. But the worker acted first, adjusting the amount of bleach to safe levels before the other measures took effect. He also notified his supervisor to make sure that “measures were taken to prevent further remote access to the system.”
Sen. Marco Rubio (R-Fla.) asked the FBI to investigate the cyberattack. The agency found later ‘poor password security’ may have been a factor. The exact source of the threat has not been found. However, investigators traced the stolen information about the water treatment plant to a larger data leak.
A look at other IoT and physical cybersecurity attacks
The attack on the Oldsmar plant represents an example of a ‘physical cyber attack’. In this type of attack, the target group, affected systems, entry vectors, or other factors have physical effects. In this example, the cyber attack changed the amount of bleach in use at the water treatment plant.
Some other examples from recent years show how these physical cyberattacks go beyond Oldsmar. In December 2016, malicious actors hid in the IT system of the Ukrainian utility company Ukrenergo, examined it and obtained administrator privileges. The attackers used what they gained to influence workstations and supervisory control and data acquisition (SCADA) systems. This attack caused a blackout in the Ukrainian capital, kyiv, reported Reuters.
Three years later, CBS Los Angeles covered a report that discussed how threat actors could exploit software flaws in connected vehicles. Attackers could use those exploits to take over the gas pedals, steering, and braking of millions of vehicles.
Threat actors could also objective IoT security systems that monitor smart buildings. They could use elevators, ventilation systems, fire extinguishers, and other features to wreak havoc on those inside.
The rise of IoT devices in the medical space comes with various kinds of IoT security risks. One of them is clinical risk. For example, an attacker could take advantage of IoT vendor weaknesses and/or poor security hygiene to cause a denial of service condition in a pacemaker.
Using IoT security against physical cyber attacks
The company can protect itself against cyber attacks to some extent by using best practices such as network segmentation, risk management, and threat detection. But those kinds of defensive strategies will only take them so far. As in the case of the Florida attack, sometimes a person also needs to intervene. This is because the impacts of physical cyberattacks depend in part on what systems are affected, how much IoT security is in place, and how devices are designed, factors over which defenders have no direct control.
Business leaders might consider working with industry peers, technology manufacturers, and public sector groups to minimize the risks of cyberattacks. They may forge these associations on their own, or they may seek to participate in established programs such as the Security of cyber physical systems Project. Working together can help minimize the physical effects of tomorrow’s IoT security issues and other digital attacks.
If your organization requires immediate assistance with incident response, contact the IBM Security X-Force US Hotline at 1-888-241-9812 | Global hotline (+001) 312-212-8034. More information about X-Force threat intelligence Y incident response services.