Recently, a cyber attacker attempted to add lethal amounts of lye to the water supply at a treatment plant in the Tampa Bay city of Oldsmar. It was a warning shot across the bow of our nation’s critical infrastructure and a test of our nation’s preparedness and resolve.
Thankfully, a supervisor who was working remotely saw the concentration of sodium hydroxide being increased by a factor of more than 100 and reversed it.
Was this a signal from one country to another regarding the capability and willingness to use cyber weapons? Was this a test of the new U.S. president?
Consider the report of blackouts in Mumbai, India, attributed reportedly to China, an all too recent example of how nation states can threaten their adversaries with cyber attacks on critical infrastructure.
Certainly, new administrations have been tested before. In 2016, two cyber incidents were attributed to nation states. WannaCry, generally attributed to North Korea, conveyed ransomware against affected computers throughout the world, but most notably in the United States and the United Kingdom. Even more serious was NotPetya, first launched against companies doing business in Ukraine but spreading swiftly to ports and shipping companies around the world, threatening global maritime commerce and crippling the world’s largest shipping company. In 2008, coordinated cyber attacks against the South Korean government, news media and financial websites were accompanied by attacks against websites belonging to the White House, the Pentagon, the New York Stock Exchange, The Washington Post, NASDAQ and Amazon. All these incidents were associated with nation states building out, and possibly demonstrating, their arsenal of cyber weapons.
My own experience managing cybersecurity businesses, overseeing cybersecurity research and development, and leading forensic examinations of cyber attacks tells me that while cyber criminals abound, the most potent threats have arisen from nation-state actors demonstrating their capacity, reach and intent.
Here in the United States, we should not be surprised to see other, and possibly larger, provocations and signals within the next few months.
In Tampa, the attacker gained access to the computer-based industrial control systems (ICS) used to manage complex infrastructures and the Internet of Things (IoT) devices embedded in
these infrastructures. Such industrial control systems are used throughout the nation’s critical infrastructure sectors, including water, power, transportation and many other systems. Linked to ICS, supervisory control and data acquisition systems coordinate the industrial control systems and IoT devices on which modern infrastructures depend; such systems may also be vulnerable.
So what do we do? Here are some suggestions:
- Identify who attempted to poison Tampa’s water. Was this a nation-state actor, and if so, who? The answer will go a long way toward determining our risk. The government’s results should be made public.
- Make public attribution and send a counter signal regarding what we will not tolerate—and determine what the consequences will be if that signal is ignored. Consider the full range of cyber, economic and political costs we can impose.
- Do a true top-to-bottom risk assessment, led by the federal government with support from industry-specific information sharing and analysis centers, of all critical infrastructure upon which human life depends. This includes assessing vulnerabilities and doing penetration testing, which uses authorized simulated cyber attacks on a computer system to evaluate the security of the system.
We must also support the call of the Cybersecurity Solarium Commission to put in place a national cyber director and make the Department of Homeland Security’s role more prominent in coordinating our national cyber defense. This includes building a robust cybersecurity research and development effort at DHS and creating a whole-of-nation cybersecurity R&D strategy that mandates effective cyber leadership in government, as well as collaboration with the private sector, academia, federally funded development R&D centers and others. In turn, DHS can encourage critical infrastructure owners and operators to conduct risk assessments and build cybersecurity programs founded on the Cybersecurity Framework published by the National Institute of Standards and Technology.
If an adversary used the attack to warn the United States about its capabilities without inciting a harsh counterattack, they are observing us carefully now. Not only do they want to gauge the effectiveness of their attack, but also how we respond.
I would hope they find that a) we are aware of what they have done, b) we are not going to tolerate it and have stiffened our defenses, and c) they are facing proportionate consequences.
We must not let this incident fade in our memories. Someone is warning us that they can poison our water — threatening our lives and livelihoods.
What are we going to do about it?
Samuel S. Visner is a technical fellow and former director of the National Cybersecurity Federally Funded Research and Development Center at MITRE. He is also a professor of cybersecurity at Georgetown University.