It only took six hours for the Los Angeles Department of Water and Power to be hacked back in 2018. Early this year, an intruder lurked in hundreds of computers related to water systems across the U.S. In Portland, Oregon, burglars installed malicious computers onto a grid providing power to a chunk of the Northwest.
On February 5, a hacker gained access to the computer controlling the chemical levels at a water treatment plant in Oldsmar, Florida. They then tried to adjust the levels of sodium hydroxide in the plant. In small quantities, sodium hydroxide helps sanitize water safely. But in larger quantities, it can be fatal.
According to Sheriff Bob Gualtieri, the hacker successfully increased the sodium hydroxide level from 100 parts per million (ppm) to 11,100 ppm. Fortunately, an operator witnessed the breach as it was taking place and returned the chemical level to its appropriate setting. The water was subsequently tested to validate its safety.
"If we have a new world war tomorrow and have to worry about protecting infrastructure against a cyberattack from Russia or China, then no, I don't think we're where we'd like to be," said Andrea Carcano, co-founder of Nozomi Networks, a control system security company.
In the last few months, hackers working for profit have targeted companies running operational networks like the Colonial Pipeline fuel system. They infected the pipeline's information technology systems with ransomware, forcing its owner to stop the flow of 2.5 million barrels a day of petroleum products.
Much of the technology systems in critical infrastructure are too old for sophisticated cybersecurity tools. Network administrators fear that a push to digitize critical infrastructure may increase a network's exposure to hackers, said Carcano.
Digitization has enabled industrial companies and utilities to increase efficiency with greater oversight and control of their sprawling operations, which in the case of the Colonial Pipeline extends 5,500 miles through a network branching from Texas to New Jersey. But vulnerabilities in office IT systems can offer entry points for hackers to later go after control systems.
"I think what happened [to Colonial] is the most likely model for what is ahead of us," said Chris Williams, cyber solution architect at Capgemini North America. (Related: More than 15,000 gas stations ran out of fuel in just a few days after Colonial Pipeline cyberattack: Are you prepared for the "big one?")
Standards for American pipeline infrastructure are set by the Transportation Security Administration (TSA), the government agency in charge of airport screenings that has been traditionally understaffed and underfunded.
TSA had just six full-time staff members dealing with pipeline security until last year. That number has since increased to 34.
According to Federal Energy Regulatory Commission (FERC) Commissioner Neil Chatterjee, responsibility should be stripped from the TSA and shifted to the Department of Energy (DOE). "I was worried about the economic and national security implications of such an attack and we're seeing that in real-time with what happened with Colonial," he said.
A criminal investigation in cooperation with the Federal Bureau of Investigation (FBI) and the Secret Service had been initiated.
President Joe Biden has taken steps to tighten cybersecurity. On May 12, Biden signed an executive order aimed at strengthening the country's cybersecurity defenses.
The president's executive order calls for the federal government and private sector to partner in confronting "persistent and increasingly sophisticated malicious cyber campaigns" that threaten national security.
Calling the Colonial Pipeline hack a "stark reminder" of the need to harden critical infrastructure, Energy Secretary Jennifer Granholm said last month that "in the face of an evolving array of 21st-century risks, we have to rethink our approach to security, and to reassess the authorities that we can bring to bear during these kinds of emergencies."
The government tends to be passive when there's no actual damage from cyberattack. Take the case of ONE Gas Inc. in Tulsa, Oklahoma as an example.
Niyo Pearson was overseeing cybersecurity there in January 2020 when his team was alerted to malware trying to enter its operational system – the side that controls natural gas traffic across Oklahoma, Kansas and Texas.
For two days, his team was in a dogfight with the hackers who moved laterally across the network. Ultimately, Pearson's team managed to expel the intruders.
When Richard Robinson at Cynalytica fed the corrupted files into his own identification program, ONE Gas learned it was dealing with malware capable of executing ransomware.
Pearson tried to bring the data to the FBI but it would only accept it on a compact disc, he said. His system couldn't burn the data onto a CD. When he alerted the Department of Homeland Security (DHS) and sent it through a secure portal, he never heard back from the agency.
Robinson gave a presentation to the DHS, the DOE, the Department of Defense and the intelligence community on a conference call. He never heard back either.
"We got zero, and that's what was really surprising," Robinson said. "Not a single individual reached back out to find out more about what happened to ONE Gas."
Follow CyberWar.news for more news and information related to cyberattacks.