Blog Posts Business Management

Securing critical infrastructure environments, no matter their size

Blog: Capgemini CTO Blog

When assessing critical infrastructure environments, security teams should always ask: What is considered an acceptable risk? Is there a limit on the danger to life? Is it one life, 100 lives, 1,000 lives? According to recent news reports, a hacker gained unauthorized entry to the system controlling the water treatment plant of Oldsmar, Florida, a city of 15,000. The hacker tried to taint the water supply by increasing the level of a caustic chemical, lye, in the water supply. This act exposes a danger that has grown as systems become more computerized and accessible via the internet and remote connectivity. Was this an act of domestic terror or was it a prank gone terribly wrong? Is this a target considered worthy of a nation-state bad actor? Maybe not, but it surely is a target worth protecting from a hacker who can stumble upon an open remote session where they can do damage. This is a small municipal water treatment plant, one that probably didn’t consider itself a target. This plant has now disabled remote access. The management team realized the risk and anticipated this attack could happen. Over the years, many other municipal providers have observed that they are not targets of potential attacks. But this case shows the risk is now very real.

What was amazing about the water hack is that a supervisor saw a mouse moving on its own, and he stopped the attack. This is great threat detection, but with all the remote work being performed, what are the chances that the hacker could have accessed a system that wasn’t well monitored? Would the lye have made it into the water supply? How many of the 15,000 residents could have been injured? The fact that the remote session was hacked is significant and points to the basic lack of cybersecurity in some critical infrastructure networks. Taking down the power grid may be problematic but contaminating the water supply can be deadly. The fact that the hacker “briefly increased the amount of sodium hydroxide by a factor of one hundred (from 100 parts per million to 11,100 parts per million)” indicates that the numbers were changed … that fact equals danger! Are there backup controls? I am sure there are, but if a hacker has access to your internal systems, there is a potential for anything to be overridden.

The Oldsmar water plant was also in two prior data breaches dating back to 2017. It appears their credentials may have been exploitable for a while. Although smaller organizations do not have large security budgets, there is a need for more effective account monitoring and control. This does not necessarily require a big investment. If they had been more in tune with this important security control, then uncontrolled access would have been eliminated back in 2017 and the plant would have been rendered more secure.

What should be done to protect municipalities? Power plants that provide 1,500 MW of power are subject to NERC CIP regulations. What about the smaller power plants or water treatment plants such as the one in Oldsmar, FL? This is not to suggest that these smaller providers should be more formally governed, as regulations drive compliance, but not security. Public utilities should be held responsible for the communities they serve. These smaller plants are often underfunded and understaffed, which increases risk. Ensuring security requires a commitment not just in words but also in the funding of effective cyber controls.

Aside from regular risk compliance assessments, there is a need to ensure municipalities are providing necessary controls that address cybersecurity in their operations too.

Key steps to ensure basic cybersecurity in ICS environments:

This list can be a foundational guide, as every plant no matter its size should prioritize its obligation to its communities to keep it safe as a critical responsibility. Additionally, cybersecurity needs to be considered in every budgeting cycle and cannot be shortchanged. If you feel the organization needs help addressing these issues, get some professional guidance, have a risk assessment done, and follow basic cyber best practices to keep your community safe.

Follow me on LinkedIn.

To find out more about how we can help you, visit our Secure IoT/OT Services page.


Capgemini Expert

Larry Alls
OT Solution Architect | NA Cyber Center of Excellence
Experienced Senior Solutions Architect with a demonstrated history of working in the oil & energy industry. Skilled in Firewalls, Network Engineering, Network Security, Wireless Networking, and Cross-functional Team Leadership. Strong engineering professional with an AAS focused in Computer Science from Tampa Technical Institute.

Leave a Comment

Get the BPI Web Feed

Using the HTML code below, you can display this Business Process Incubator page content with the current filter and sorting inside your web site for FREE.

Copy/Paste this code in your website html code:

<iframe src="" frameborder="0" scrolling="auto" width="100%" height="700">

Customizing your BPI Web Feed

You can click on the Get the BPI Web Feed link on any of our page to create the best possible feed for your site. Here are a few tips to customize your BPI Web Feed.

Customizing the Content Filter
On any page, you can add filter criteria using the MORE FILTERS interface:

Customizing the Content Filter

Customizing the Content Sorting
Clicking on the sorting options will also change the way your BPI Web Feed will be ordered on your site:

Get the BPI Web Feed

Some integration examples