I’d wager few people had ever heard of Oldsmar, Florida, prior to 2021. That all changed in February when the city made headlines. The reason? An Internet of things (IoT) security incident moved into the physical world.
A Tale of Lifted Lye Levels
At 8 a.m. local time on February 5, 2021, an operator at Oldsmar’s water treatment plant noticed someone had remotely entered the computer system he was watching and taken control of his mouse. The attacker used their control to change the amount of sodium hydroxide in the water from 100 parts per million to 11,000 — a potentially dangerous level of lye. If consumed, this cyber-physical attack could have caused loss of vision, pain and shock, among other symptoms.
The water treatment plant had protections in place that would have corrected the change in time. But the worker acted first, adjusting the amount of lye back to safe levels before the other measures kicked in. He also notified his supervisor to ensure “steps were taken to prevent further remote access to the system.”
Sen. Marco Rubio (R-Fla.) asked the FBI to look into the cyber-physical attack. The agency later found ‘poor password security’ may have been a factor. The exact origin of the threat hasn’t been found. However, researchers did trace stolen information about the water treatment plant to a larger data leak.
A Look at Other Cyber Physical and IoT Security Attacks
The attack on Oldsmar’s plant represents an example of a ‘cyber-physical attack.’ In this type of attack, the targeted group, affected system(s), entry vector(s) or other factors have physical effects. In this example, the cyberattack changed the amount of lye in use at the water treatment plant.
A few other examples from the past years show how these physical cyberattacks go beyond Oldsmar. In December 2016, malicious actors hid in Ukrainian utility Ukrenergo’s IT system, scoped it out and gained admin privileges. The attackers used what they obtained to influence workstations and Supervisory Control and Data Acquisition (SCADA) systems. This attack led to a blackout in Ukraine’s capital of Kiev, reported Reuters.
Three years later, CBS Los Angeles covered a report that discussed how threat actors could exploit software flaws in connected vehicles. The attackers could use those exploits to assume control of millions of vehicles’ gas pedals, steering and braking.
Threat actors could also target the IoT security systems that oversee smart buildings. They could use elevators, ventilation systems, fire extinguishers and other functions in order to wreak havoc on those inside.
The rise of IoT devices in the medical space comes with several types of IoT security risks. One of those is clinical risk. For instance, an attacker could leverage IoT manufacturer weaknesses and/or poor security hygiene to produce a denial-of-service condition on a pacemaker.
Using IoT Security Against Cyber Physical Attacks
The enterprise can protect against cyber-physical attacks to some extent by using best practices, such as network segmentation, risk management and threat detection. But those types of defensive strategies will carry them only so far. As in the case of the Florida attack, sometimes a person needs to step in as well. That’s because the impacts of cyber physical attacks in part rely on which systems are affected, how much IoT security is in place and how devices are designed — factors over which defenders don’t have direct control.
Enterprise leaders might consider working together with industry peers, tech manufacturers and public-sector groups in order to minimize the risks of cyber-physical attacks. They can forge these partnerships on their own, or they can look to participate in established programs such as the Cyber Physical Systems Security project. Working together can help minimize the physical effects of tomorrow’s IoT security problems and other digital attacks.
If your organization requires immediate assistance with incident response, please contact IBM Security X-Force’s US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034. Learn more about X-Force’s threat intelligence and incident response services.