Issue in Brief: A recent cyberattack on a Florida water treatment facility highlights the growing threat of cyber-attacks on critical infrastructures, prompting an investigation from the EPA and FBI, and motivating lawmakers to make independent inquiries about the sufficiency of relevant cybersecurity standards and requirements for these facilities, including the 2015 critical infrastructure protection strategies overseen by the U.S. Department of Homeland Security.
Next Steps: Impacted businesses should take action to improve their cybersecurity practices using, among other things, the 2015 guidance and other industry best practices.
On the Horizon: As the increase of cyber-incidents for critical infrastructures continues, businesses are likely to see an increase in guidance and additional laws and regulations relating specifically to protecting the Nation’s critical infrastructures from cyber threats.
Critical Infrastructure Systems (CIS)—those essential to the functioning of society, such as sanitation, water treatment, energy production, etc.— have become a popular asset for cybercriminals. In 2020, cyberattacks on CIS facilities dramatically increased, with water and wastewater facilities seeing a large share of the increase. Experts seem unanimous in believing this uptick in attacks on CIS will continue to grow in the years to come.
In fact, this month, an unauthorized third-party infiltrated the Supervisory Control and Data Acquisition (SCADA) system—an electronic system used to monitor and control a plant or equipment in industries such as energy, water and waste control, and oil and gas refining—at a drinking water treatment facility in Oldsmar, Florida, in an apparent effort to poison the water supply. The third party was able to raise the concentration of lye (a chemical used in the treatment process) to potentially lethal levels. The Oldsmar facility serves a population of nearly 15,000 people—meaning that, had the attack been successful, all these individuals could have consumed deadly drinking water. Thankfully, attentive employees at the facility quickly noticed the change and corrected the issue, and, in the end, nobody was harmed. Federal officials have launched an investigation into the attack, and lawmakers are submitting follow-on inquiries about the facility’s compliance with certain Department of Homeland Security (DHS) guidelines and whether the DHS needs to update the guidelines.
The third-party is believed to have exploited the plant’s SCADA system due to poor password protections and the system’s use of antiquated versions of Microsoft Windows that no longer update with certain security protections. The third-party entered the SCADA system through a ubiquitous screenshare program called TeamViewer.
What to Expect
Because it is almost certain that attacks on CISs will increase in the future, all CIS operators should expect their systems to be targeted. Federal officials and industry experts have noted that CISs make attractive targets to cybercriminals due to the potential to harm (or threaten to harm) large amounts of people in a single hack. Accordingly, CIS operators should expect to focus more attention and resources on enhancing their cybersecurity.
Further, it is likely that laws and regulations may be enacted to require certain cybersecurity practices to reduce the likelihood that successful hacks will occur in the future. Recently, in part due to other cyberattacks, such as the highly publicized Solar Winds hack, federal lawmakers have stressed the importance of improving the Nation’s cybersecurity laws and regulations. As such, it is fair to expect that compliance with various laws and regulations relating to cybersecurity will become a necessary component of running a business.
What to Do
For now, there is no singular set of rules governing a CIS facility’s cybersecurity practices. However, a helpful place to start is with the DHS’s 2015 Sector-Specific Plans for sixteen types of infrastructure industries, which were issued in response to Executive Orders issued by former President Obama. See 2015 Sector-Specific Plans, Cybersecurity & Infrastructure Security Agency (2015), available here. While issued by DHS, these plans were developed in conjunction with other agencies and private partners to focus on the unique conditions of each of the listed industries. After the issuance of the 2015 Sector-Specific Plans, former President Trump also took executive action to strengthen cybersecurity for CISs, which offers additional, useful information. See Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, Cybersecurity & Infrastructure Security Agency (May 11, 2017), available here.
Boiled down, there are various protective measures that a business can take harden its industrial control systems and reduce the exposure to cybercriminals. Such measures include, but are not limited to:
- Patch management: update software and patches regularly;
- System updates: avoid using outdated and unsupported operating systems;
- Technical safeguards: update firewalls and anti-virus software, and ensure that such software is working properly through regular testing;
- Administrative safeguards: use strong authentication measures, including strong and varied passwords changed regularly and implement two-factor authentication;
- Training: educate employees on the risks of cyberattacks, how to spot potential attacks, and how to protect against third parties if they do obtain unauthorized access to a given system;
- Response plan: develop and test an incident response plan specific to the compromise of an ICS system, and ensure that potential threats or suspicious activities are reported to federal relevant agencies, such as the FBI, CISA, NSA, and DHS;
- Best practices and guidance: stay abreast of evolving industry best practices and technology, and continuous monitor agency notices or alerts to respond nimbly to newly identified vulnerabilities; and
- Auditing / Testing: audit your ICS systems routinely to discover vulnerabilities and resolve potential weaknesses in a system or within the organization’s cyber-preparedness and response procedures.
Cybersecurity practices will need to continue to improve and evolve as cyberattacks become more commonplace and cybercriminals become more sophisticated. There is no one-size-fits-all approach to cybersecurity, and all businesses will need to remain flexible and continuously improve their practices to mitigate the risk of third parties obtaining unauthorized access to their technology systems.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm of approximately 725 lawyers practicing throughout a network of 13 offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy and technology sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.