The security breach that occurred on Feb. 8, 2021 within Oldsmar, Florida’s water treatment plant illustrates the lack of security vigor in critical infrastructure. It’s a wake-up call for anyone questioning the need for ultra-secure network communications. After gaining unauthorized access to the plant’s supervisory control and data acquisition system (SCADA), an unidentified actor tampered with the amount of sodium hydroxide, also known as lye, in the city’s drinking water. Remote access allowed the cybercriminal to increase this potentially dangerous chemical by a factor of 100.
Thankfully, an employee who was monitoring the plant’s TeamViewer remote access software was able to catch the criminal in the act and revert the water’s lye count back to a healthy and standard rate. While there were no life-threatening repercussions as a result of the act, the scare posed an immediate need to re-evaluate the dangers of lax security protocols and the ease of man-in-the-middle attacks against the systems that manage critical infrastructure.
Critical Infrastructure’s Unique Threat Landscape and Motivation of Bad Actors
When we talk about cybercrime and major, headline-making breaches, it’s likely that data theft comes to mind. But this isn’t usually the case for attacks against critical infrastructure. According to research by the Organization of American States, nefarious actors are more inclined to make attempts to control or even shut down systems to induce harm rather than seek out monetary gain.
The Oldsmar security breach underscores these findings, as the perpetrator easily navigated through the water plant’s system which controlled the levels of lye and was able to make changes that could have endangered citizens.
Over time, SCADA systems have become increasingly integrated with other third-party systems via the Internet. This has exposed the nation’s critical infrastructure to new risks and cyber vulnerabilities as data travels between systems and across vast, large-scale networks. In this specific case, the cybercriminal’s changes to Oldsmar’s SCADA system were only active for a few minutes, and an employee was able to see those changes made in real time. However, the system’s vulnerability allowed for such an attack to occur.
Ensuring a Secure and Resilient Critical Infrastructure with Quantum-Safe Key Exchange
Quantum Key Distribution (QKD) is a highly effective countermeasure to man-in-the-middle attacks because it’s ruled by the laws of quantum physics. If encryption keys are tampered with in any way i.e., eavesdropping, theft or cloning, it changes its quantum state, immediately notifying both sender and receiver and terminating the key exchange session. The U.S. government has recognized the potential and immediate use case of QKD by critical infrastructure enlisting Oak Ridge and Los Alamos National Labs to work on a multiphase project to make QKD over the North American power grid a reality. The problem is, QKD has its limitations which could take several more years to address and overcome. In the meantime, more Oldsmar-like attacks could occur with devastating consequences.
Quantum Xchange helps critical infrastructure operators secure their existing network communications links by preventing the theft of encryption keys used for protection. Our Phio Trusted Xchange (TX) solution uses an out-of-band key distribution architecture, over a quantum-safe network, to prevent a hacker from simply copying the data and the key that protects it from a single network connection. If QKD-level security is desired, Phio TX can be used to overcome its distance and delivery limitations by enabling quantum keys to travel unlimited distances via multiple QKD links. Phio TX can also support multiple clients at each endpoint, which no other QKD solution offers.
Quantum Xchange provides critical infrastructure with a practical pathway to quantum readiness and an infinitely stronger cybersecurity posture today. Learn more about how to safeguard the economic security, public health, and safety of our nation with solutions from Quantum Xchange.
