Should Water Treatment Facilities Allow Remote Access?

Should water treatment staff be allowed to remote login to monitor systems?  This is becoming a hot button issue with the Oldsmar breach in February and the recent indictment of a man accused of tampering with the Ellsworth County, Kansas treatment plant in 2019.  In both of these cases, the accused was able to tamper with the controls of the water treatment plant via remote access.

Authorities have not yet identified who tampered with the water system in Oldsmar, Florida.  Thankfully, a quick-thinking operator at the plant noticed someone had taken control of his mouse to increase the amount of sodium hydroxide from 100 parts per million to 11,100 parts per million. The operator immediately changed the concentration back to 100 parts per million.

In Ellsworth County, the accused is 22-year-old Wyatt Travnichek.  Travinchek was an employee at the water treatment plant.  According to The Verge, Travinchek simply “logged in remotely” months after he left the job, began shutting things down, and is now facing up to 20 years in prison.

The issue in both of these cases is that neither water treatment plant bothered to change the password once employees left, or even remove an old piece of remote-control software after they’d installed a newer one. This is the biggest flaw that left both operations vulnerable to attack. 

Even though neither attacker was successful in harming the water supply, it does make you wonder, should we allow remote access to our critical infrastructure?  Eric Chien, a security researcher at Symantec, described the breach at Oldsmar in this way: “This is a small municipality that is likely small-budgeted and under-resourced, which purposely set up remote access so employees and outside contractors can remote in.”  It sounds like a disaster waiting to happen.

If remote access is necessary, it is suggested that Operational Technology (OT) be segmented away from Information Technology (IT). Separating the two means protecting OT devices from any possible digital breach. In addition, the FBI outlined these 9 steps:

  1. Use multi-factor authentication
  2. Use strong passwords to protect Remote Desktop Protocol (RDP) credentials
  3. Ensure anti-virus, spam filters, and firewalls are up to date, properly configured, and secure
  4. Audit network configurations and isolate computer systems that cannot be updated
  5. Audit your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts
  6. Audit logs for all remote connection protocols
  7. Train users to identify and report attempts at social engineering
  8. Identify and suspend access of users exhibiting unusual activity
  9. Keep software updated