Don’t Drink the Cyber: Extrapolating the Possibilities of Oldsmar’s Water Treatment Cyberattack James Cervini, Aviel Rubin and Lanier Watkins The Johns Hopkins University, Baltimore, USA jschaf12@jhu.edu rubin@jhu.cs.edu lanier.watkins@jhuapl.edu Abstract: Water treatment represents an essential critical infrastructure sector which has a direct impact on the health and well-being of its customers. Water treatment is often performed by municipalities with very limited budgets for cybersecurity resources. These underfunded, high-impact, targets represent an emerging cyber warfare attack-surface paradigm which poses a direct threat to the quality of life for millions of people. On February 5th, 2021, a water treatment plant in Oldsmar, Florida was the victim of an attempted cyberattack. This attack commanded the system to add a dangerous amount of sodium hydroxide to water which supplied thousands. Direct exposure to sodium hydroxide causes painful burns to the exposed area with permanent internal damage likely upon ingestion. A system operator noticed this malicious behaviour and corrected the situation, minimizing the attack’s impact. This paper outlines the attack and illustrates how minor modifications to the attacker’s tactics, techniques, and procedures could have resulted in a cyber-derived catastrophe for thousands of unsuspecting citizens. Lastly, this paper explores the effectiveness of various low-cost cyber-physical security technologies when pitted against differing attacker models in these theoretical scenarios. These cybersecurity solutions are evaluated by cost, ease of use, implementation difficulty, and ability to support safe operation continuity when faced with adversary behaviour. The results of this evaluation illuminate a path forward for low-cost threat mitigation which increases the difficulty to compromise these critical cyber-physical systems. With attacks targeting industrial control systems on the rise, the Oldsmar water treatment cyberattack represents more than an individual incident, it can be viewed as a reflection of the current status of thousands of similar critical infrastructure systems that have yet to be caught in crosshairs of a competent and willing adversary with financial incentives and cyber warfare mission requirements serving as impetus for adversary willingness and any resulting large-scale cyber cataclysm. Keywords: operational technology, water treatment, Oldsmar Florida, cybersecurity, cyber warfare, cyber attack 1. Introduction The water and wastewater systems sector is labelled as a vital critical infrastructure sector by the United States’ Department of Homeland Security (DHS), describing this sector as “essential to modern life” (DHS, 2015). Water treatment responsibilities are commonly performed by municipalities with meagre budgets for cybersecurity resources. According to a report which surveyed water sector utilities, 44.8 percent claimed less than 1 percent of their overall budget was dedicated to operational technology (OT) cybersecurity (ThreatLocker Inc., 2021). The high impact of water treatment disruption and malicious manipulation when paired with an underfunded defensive cyber-posture results in an emerging cyber warfare paradigm which poses a direct threat to the quality of life for millions of people. The 2021 water treatment cyberattack orchestrated in Oldsmar, Florida represents a relevant example of cybersecurity shortcomings prevalent in underfunded municipalities. While Oldsmar is home to approximately 15,000 residents, coordinated cyber warfare campaigns targeting these vulnerable critical systems represent asymmetric threats which could impact millions. This paper contributes to the domain by researching a relevant OT municipal cyberattack with unrealized impact while framing it in the context of cyber warfare at scale. Furthermore, this paper illustrates how an increased likelihood for impact realization is possible while outlining mitigations mindful to the operational constraints of municipalities. Section two of this paper will describe and dissect this attack, with section three ultimately showing how slight modifications to the attacker’s tactics, techniques, and procedures (TTPs) could have resulted in a devastating cyberattack. Subsequently, section four describes low-cost mitigations which aim to mitigate the exhibited threats with various mitigation types described in each sub-section. Lastly, section five concludes the paper with closing thoughts. 2. The Oldsmar Water Treatment Attack The attack began on February 5 th , 2021, at 0800 where the attacker leveraged compromised credentials and the common remote access software TeamViewer to login to a plant operator’s console. Following the login, the attacker immediately logged off and disconnected the session (Pinellas County, 2021). This was likely the attacker confirming system, connection, and credential validity. At this point the attacker could have also taken Proceedings of the 17th International Conference on Information Warfare and Security, 2022 19