Widgetized Section

Go to Admin » Appearance » Widgets » and move Gabfire Widget: Social into that MastheadOverlay zone

Cybersecurity and Critical Infrastructure

The views expressed are those of the author and do not necessarily reflect the views of ASPA as an organization.

By Malik Dulaney
April 22, 2021

In February 2021, Oldsmar, FL became the focal point for municipal water systems cybersecurity around the country. The Oldsmar water system was breached and an attacker changed critical system settings. The Oldsmar incident is an example of the inherent dangers of critical infrastructure services that rely on dated industrial control systems (ICS) not designed to operate in a newly internet-connected world. While the most recent water hack has brought this issue to light, this has widespread implications for a variety of federal, state and local critical infrastructure managed with industrial control systems. In this column, I will introduce industrial control systems to the PA Times community; outline several publicized incidents; and offer useful recommendations to begin to address cybersecurity for these systems.

What are Industrial Control Systems?

Industrial control systems are information technologies that control physical devices in industrial processes. They manage, regulate or modify industrial processes. For example, ICS is used to control chemical mixtures in water treatment plants and generators in power plants. ICS is also used in manufacturing to control industrial robots and conveyor belts. More importantly, it is used for much of the country’s critical infrastructure, including mass transit systems, emergency management systems, chemical processing, refineries, dams, defense industrial base, nuclear reactors, healthcare and financial services. Industrial control systems often include older legacy systems built in previous computing eras. Many of these systems were not designed with interconnected networks in mind, making them inherently secure. ICS is also unique because many of their applications control services that can cause physical harm to human beings. Because of these characteristics, industrial control systems are attractive targets for hackers, especially those backed by nation-states.

The Most Recent ICS Incident

The Oldsmar, FL incident is a recent example of the potential of ICS to endanger human life. On February 5, 2021, a machine operator at the Oldsmar city municipal water company was working on a system terminal when he noticed the cursor moving on its own. He watched the cursor move across the screen and increase the settings that controlled the mixture of sodium hydroxide. Sodium hydroxide, also known as lye, is a chemical used to remove metals from water and control the PH level of potable water. In high amounts it can damage human tissue. The terminal had a remote connection using TeamViewer remote access software. The hacker had found the plant’s internet accessible TeamViewer software and connected to it from an unknown location. After the hacker left the system, the plant operator was able to reset the sodium hydroxide levels to normal. This incident alarmed water treatment plant operators across the country and demonstrated the vulnerability of these critical systems.

Other ICS Incidents

There have been several other high-profile incidents involving industrial control systems. In 2019, a former employee of a Kansas water system hacked into their systems. He shut down the facility’s disinfecting and cleaning capabilities, putting the water’s usability in danger. In 2013, the systems for a small sluicegate dam in Rye Brook, New York were compromised by Iranian hackers. The hackers didn’t do any damage, but it may have been a test for a more lucrative target. In 2017, hackers were able to turn on 156 tornado sirens in Dallas, TX. Two years later in Desoto, TX, hackers activated emergency tornado sirens that blared for 40 minutes in the middle of the night. Harvard, IL had to decommission their 1950’s era siren system after several similar attacks.

There have been several well publicized international incidents. Ukraine experienced an attack on its power grid in 2016. Hackers compromised electrical distribution systems, shutting down electricity for over 200,000 people for eight hours. The Stuxnet attack on Iran’s Natanz nuclear enrichment systems also falls within the realm of industrial control systems. In this case of cyber warfare, a carefully crafted computer worm was used to subtly throw off the ICS components that managed spinning gas centrifuges. The attack caused significant damage to Iran’s nuclear program.


Public administrators with these systems in their portfolios should refer to the recommendations outlined by the National Institute of Standards and Technology’s (NIST) SP 800-82 Revision 2 publication for effective ICS cybersecurity strategies. Cybersecurity practitioners recommend segregating ICS systems from the internet. Only use remote access when it is necessary. The access should be controlled by the operator and time limited. Segment ICS networks to reduce attack surface. Utilize whitelisting and multifactor authentication technologies. Overall, use zero trust and least privilege principles in designing ICS security solutions.

The previously discussed incidents demonstrate the susceptibility of ICS based critical infrastructure being compromised by hackers. The recommendations that have been presented outline several effective strategies to protect ICS. Many of these systems fall into the purview of local, state, and federal entities. It is important that public administrators keep these threats in mind when considering cybersecurity measures for their agency, organization, or government entity. 

Author: Malik Dulaney, PhD, CISSP is an information technology professional with the University of Dallas and an adjunct cybersecurity professor with the Gupta College of Business at the University of Dallas. He is also a public sector researcher with research interests in cybersecurity in public and nonprofit organizations, cyber warfare and information technology policy. He can be reached at [email protected].

1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 4.50 out of 5)

Leave a Reply

Your email address will not be published. Required fields are marked *