I’d wager few people had ever heard of Oldsmar, Florida, prior to 2021. That all changed in February when the city made headlines. The reason? An Internet of things (IoT) security incident moved into the physical world.

A Tale of Lifted Lye Levels

At 8 a.m. local time on February 5, 2021, an operator at Oldsmar’s water treatment plant noticed someone had remotely entered the computer system he was watching and taken control of his mouse. The attacker used their control to change the amount of sodium hydroxide in the water from 100 parts per million to 11,000 — a potentially dangerous level of lye. If consumed, this cyber-physical attack could have caused loss of vision, pain and shock, among other symptoms.

The water treatment plant had protections in place that would have corrected the change in time. But the worker acted first, adjusting the amount of lye back to safe levels before the other measures kicked in. He also notified his supervisor to ensure “steps were taken to prevent further remote access to the system.”

Sen. Marco Rubio (R-Fla.) asked the FBI to look into the cyber-physical attack. The agency later found ‘poor password security’ may have been a factor. The exact origin of the threat hasn’t been found. However, researchers did trace stolen information about the water treatment plant to a larger data leak.

A Look at Other Cyber Physical and IoT Security Attacks

The attack on Oldsmar’s plant represents an example of a ‘cyber-physical attack.’ In this type of attack, the targeted group, affected system(s), entry vector(s) or other factors have physical effects. In this example, the cyberattack changed the amount of lye in use at the water treatment plant.

A few other examples from the past years show how these physical cyberattacks go beyond Oldsmar. In December 2016, malicious actors hid in Ukrainian utility Ukrenergo’s IT system, scoped it out and gained admin privileges. The attackers used what they obtained to influence workstations and Supervisory Control and Data Acquisition (SCADA) systems. This attack led to a blackout in Ukraine’s capital of Kiev, reported Reuters.

Three years later, CBS Los Angeles covered a report that discussed how threat actors could exploit software flaws in connected vehicles. The attackers could use those exploits to assume control of millions of vehicles’ gas pedals, steering and braking.

Threat actors could also target the IoT security systems that oversee smart buildings. They could use elevators, ventilation systems, fire extinguishers and other functions in order to wreak havoc on those inside.

The rise of IoT devices in the medical space comes with several types of IoT security risks. One of those is clinical risk. For instance, an attacker could leverage IoT manufacturer weaknesses and/or poor security hygiene to produce a denial-of-service condition on a pacemaker.

Using IoT Security Against Cyber Physical Attacks

The enterprise can protect against cyber-physical attacks to some extent by using best practices, such as network segmentation, risk management and threat detection. But those types of defensive strategies will carry them only so far. As in the case of the Florida attack, sometimes a person needs to step in as well. That’s because the impacts of cyber physical attacks in part rely on which systems are affected, how much IoT security is in place and how devices are designed — factors over which defenders don’t have direct control.

Enterprise leaders might consider working together with industry peers, tech manufacturers and public-sector groups in order to minimize the risks of cyber-physical attacks. They can forge these partnerships on their own, or they can look to participate in established programs such as the Cyber Physical Systems Security project. Working together can help minimize the physical effects of tomorrow’s IoT security problems and other digital attacks.

If your organization requires immediate assistance with incident response, please contact IBM Security X-Force’s US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034. Learn more about X-Force’s threat intelligence and incident response services.

More from Energy & Utility

X-Force 2022 Insights: An Expanding OT Threat Landscape

This post was written with contributions from Dave McMillen. So far 2022 has seen international cyber security agencies issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of two new OT-specific pieces of malware, Industroyer2 and InController/PipeDream, and the disclosure of many operational technology (OT) vulnerabilities. The OT cyber threat landscape is expanding dramatically and OT asset owners and operators, all of whom understand the need to keep critical infrastructures running safely, need to be aware…

One Year After the Colonial Pipeline Attack, Regulation Is Still a Problem

The Colonial Pipeline cyberattack is still causing ripples. Some of these federal mandates may mark major changes for operational technology (OT) cybersecurity. The privately held Colonial Pipeline company, which provides nearly half of the fuel used by the East Coast — gasoline, heating oil, jet fuel and fuel for the military totaling around 100 million gallons a day — was hit by a double-extortion ransomware attack by a DarkSide group in May of 2021.  In reaction, the company shut down…

Lessons Learned by 2022 Cyberattacks: X-Force Threat Intelligence Report

Every year, the IBM Security X-Force team of cybersecurity experts mines billions of data points to reveal today’s most urgent security statistics and trends. This year’s X-Force Threat Intelligence Index 2022 digs into attack types, infection vectors, top threat actors, malware trends and industry-specific insights. This year, a new industry took the infamous top spot: manufacturing. For the first time in over five years, finance and insurance were not the top-attacked industries in 2021, as manufacturing overtook them by a…

A New Cybersecurity Executive Order Puts the Heat on Critical Infrastructure Suppliers

Ransomware. Five years ago, the cybersecurity community knew that term well, although among others it was far from dinner table conversation. Times have changed. Since early 2020, ransomware has hit a slew of headlines. People inside and outside of the security industry are talking about it, and many have experienced the ransomware pain firsthand. The IBM Security 2021 Cost of a Data Breach report notes that ransomware attacks cost on average $4.62 million, excluding the cost of paying the ransom.…