I’d wager few people had ever heard of Oldsmar, Florida, prior to 2021. That all changed in February when the city made headlines. The reason? An Internet of things (IoT) security incident moved into the physical world.

A Tale of Lifted Lye Levels

At 8 a.m. local time on February 5, 2021, an operator at Oldsmar’s water treatment plant noticed someone had remotely entered the computer system he was watching and taken control of his mouse. The attacker used their control to change the amount of sodium hydroxide in the water from 100 parts per million to 11,000 — a potentially dangerous level of lye. If consumed, this cyber-physical attack could have caused loss of vision, pain and shock, among other symptoms.

The water treatment plant had protections in place that would have corrected the change in time. But the worker acted first, adjusting the amount of lye back to safe levels before the other measures kicked in. He also notified his supervisor to ensure “steps were taken to prevent further remote access to the system.”

Sen. Marco Rubio (R-Fla.) asked the FBI to look into the cyber-physical attack. The agency later found ‘poor password security’ may have been a factor. The exact origin of the threat hasn’t been found. However, researchers did trace stolen information about the water treatment plant to a larger data leak.

A Look at Other Cyber Physical and IoT Security Attacks

The attack on Oldsmar’s plant represents an example of a ‘cyber-physical attack.’ In this type of attack, the targeted group, affected system(s), entry vector(s) or other factors have physical effects. In this example, the cyberattack changed the amount of lye in use at the water treatment plant.

A few other examples from the past years show how these physical cyberattacks go beyond Oldsmar. In December 2016, malicious actors hid in Ukrainian utility Ukrenergo’s IT system, scoped it out and gained admin privileges. The attackers used what they obtained to influence workstations and Supervisory Control and Data Acquisition (SCADA) systems. This attack led to a blackout in Ukraine’s capital of Kiev, reported Reuters.

Three years later, CBS Los Angeles covered a report that discussed how threat actors could exploit software flaws in connected vehicles. The attackers could use those exploits to assume control of millions of vehicles’ gas pedals, steering and braking.

Threat actors could also target the IoT security systems that oversee smart buildings. They could use elevators, ventilation systems, fire extinguishers and other functions in order to wreak havoc on those inside.

The rise of IoT devices in the medical space comes with several types of IoT security risks. One of those is clinical risk. For instance, an attacker could leverage IoT manufacturer weaknesses and/or poor security hygiene to produce a denial-of-service condition on a pacemaker.

Using IoT Security Against Cyber Physical Attacks

The enterprise can protect against cyber-physical attacks to some extent by using best practices, such as network segmentation, risk management and threat detection. But those types of defensive strategies will carry them only so far. As in the case of the Florida attack, sometimes a person needs to step in as well. That’s because the impacts of cyber physical attacks in part rely on which systems are affected, how much IoT security is in place and how devices are designed — factors over which defenders don’t have direct control.

Enterprise leaders might consider working together with industry peers, tech manufacturers and public-sector groups in order to minimize the risks of cyber-physical attacks. They can forge these partnerships on their own, or they can look to participate in established programs such as the Cyber Physical Systems Security project. Working together can help minimize the physical effects of tomorrow’s IoT security problems and other digital attacks.

If your organization requires immediate assistance with incident response, please contact IBM Security X-Force’s US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034. Learn more about X-Force’s threat intelligence and incident response services.

More from Energy & Utility

Third-party breaches hit 90% of top global energy companies

3 min read - A new report from SecurityScorecard reveals a startling trend among the world’s top energy companies, with 90% suffering from data breaches through third parties over the last year. This statistic is particularly concerning given the crucial function these companies serve in everyday life.Their increased dependence on digital systems facilitates the increase in attacks on infrastructure networks. This sheds light on the need for these energy companies to adopt a proactive approach to securing their networks and customer information.2023 industry recap:…

Today’s biggest threats against the energy grid

2 min read - Without the U.S. energy grid, life as we know it simply grinds to a halt. Businesses can’t serve customers. Homes don’t have power. Traffic lights no longer work. We depend on the grid operating reliably each and every day for business and personal tasks. That makes it even more crucial to defend our energy grid from modern threats. Physical threats to the energy grid Since day one, the grid has been vulnerable from a physical perspective. Storms knocking the grid…

2022 industry threat recap: Energy

3 min read - In 2022, 10.7% of observed cyberattacks targeted the energy industry, according to the X-Force Threat Intelligence Index 2023. This puts energy in fourth place overall — the same as the year prior and behind manufacturing, finance and insurance and professional and business services. The report notes that this reduction in total cyberattacks may be partly tied to pushback from highly public breaches in 2021, such as the Colonial Pipeline attack. Despite the overall drop in threats, however, the industry remains…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today