Penn Undergraduate Law Journal
  • Home
  • About
    • Mission
    • Masthead
    • Faculty Advisory Board
    • Partner Journals
    • Sponsors
  • Submissions
  • Full Issues
  • The Roundtable
    • Pre-Law Corner
  • Events
  • Contact
    • Contact
    • Apply
    • FAQs
  • Home
  • About
    • Mission
    • Masthead
    • Faculty Advisory Board
    • Partner Journals
    • Sponsors
  • Submissions
  • Full Issues
  • The Roundtable
    • Pre-Law Corner
  • Events
  • Contact
    • Contact
    • Apply
    • FAQs

The Roundtable


Welcome to the Roundtable, a forum for incisive commentary and analysis
on cases and developments in law and the legal system.


Digital Rust: Why a Legal Framework for Declining Infrastructure Cybersecurity is More Important Than Ever

4/19/2021

0 Comments

 
Picture
By Joseph Squillaro
​
Joseph M. Squillaro is a member of the Class of 2022 at the University of Pennsylvania studying Philosophy, Politics and Economics (PPE) with a concentration in cyber policy and Internet law, and is both a writer and an editor for the Penn Undergraduate Law Journal.
While most of the United States was preparing to watch the Tampa Bay Buccaneers take on the Kansas City Chiefs at Super Bowl LV in Tampa, Florida, a much more sinister scene was unfolding a few miles away in the small bedroom community town of Oldsmar, FL on February 5th, 2021. At the municipal Bruce T. Haddock Water Treatment Plant, responsible for providing the town with fresh drinking water, a skeleton crew was assigned that Friday night, a shift that is typically as uneventful as the taste of water itself. Little did these employees know, however, that the plant was under attack, not by a physical intruder, but a digital one that was able to gain control of the plant’s controls via the internet. Covertly, malicious hackers were able to gain access to the plant’s Windows 7 computer systems via a tool called TeamViewer, which is typically used to give remote access to employees, especially during the COVID-19 pandemic [1]. Typically, this type of attack would be stopped via modern antivirus software, but the operator was using significantly older operating systems which were never updated for necessary security patches. Furthermore, there was no adequate training to plant personnel about how software programs like TeamViewer could pose a risk. From there, because the computers and the plant control system were not air gapped (a modern protocol where two systems are not digitally connected to prevent unauthorized access), the hackers were able to access the Supervisory Control and Data Acquisition (SCADA) system and raise the lye concentration (the active component in drain cleaner which is used in small quantities to remove metals in wastewater) from 100 parts per million to 11,100 parts per million. If successful, the trusted tap water of Oldsmar would have become incredibly deadly. Luckily, an astute worker noticed the toxic change, took the system offline and reverted the lye concentration. While this situation had a positive outcome for Oldsmar, the situation could have become significantly worse and despite an FBI investigation, no credible leads were found to hold the attempted-murderers accountable [2]. This incident brings to light the scary reality that our infrastructure systems, which are becoming increasingly reliant on internet-connected computing, are vulnerable to cyberattack and there is little to no effective regulatory policy for the operators of infrastructure who are negligent in maintaining their cyber defenses.
Not a New Phenomenon
​

Cyberattacks on a piece of infrastructure’s SCADA systems are not new. In 2017, an unnamed gas refinery plant in the Middle East had its SCADA systems overridden via a malware attack called TRITON, aptly named after it exploited vulnerabilities within the Triconex Tricon industrial security system. With no security measures in place due to the security system being deactivated, the refinery was at risk of unmitigated gas line explosions, which would have led to certain death for hundreds of employees [3]. Similar to the events in Oldsmar, the attack was thwarted and the hacker was never able to be identified. In the world of cybersecurity, the objective has shifted in the last decade away from finding cyber culprits and towards better preventative and protective measures for would-be targets. Despite the increasing frequency of such attacks, infrastructure operators are reluctant to add these measures due to their high cost and a “it won't happen to us” attitude [4]. But at some point it will and the legal system must develop ways to hold negligent operators accountable, most certainly in successful attacks, but also in those where the system was breached like in Oldsmar.

The Problem with the Existing Legal Framework

Currently, the law in many countries such as the U.S. concerning industrial cyber attacks is mostly informative in nature. For example, an operator is compelled to file an incident report if they face an attack [5]. However with no enforcement mechanism or clear punitive measures, behavioral economics dictates it is more cost effective to simply not file a report and risk being caught, an unlikely phenomenon due to little government resources spent on investigations. Operators choose to evade filing a report because it opens their plant up to further scrutiny, likely leading to significant costs to fix and possibly have their license revoked. We can see this first hand in the U.K. where a 2018 cyber law forces energy companies to inform the government of cyber breaches. Despite independent investigators discovering hundreds of such breaches in the time since the law was enacted, no official reports were ever filed, completely circumventing the point of the law in the first place [6]. With no reports ever filed for the government to conduct a proper investigation, no penalties levied to dissuade such corporate behavior, and no action taken to better secure one’s systems, it is only a matter of time before an incident like Oldsmar becomes successful and kills hundreds or thousands of innocent lives.

Keeping Our Infrastructure Digitally Accountable

Instead of a laissez-faire approach toward digital infrastructure security laws, governments around the world, both national and local, must take proactive, rather than reactive, action. A current effective model that could possibly be the archetype for the future of digital infrastructure security is that of various local health departments. For example, in New York City, restaurants are randomly visited by health inspectors who ensure the establishment is in compliance with health codes defined by law and if violations are found, fines are imposed and improvements must be made for them to reopen. With infrastructure operators, random cybersecurity protocol audits can be conducted with similar actions levied against violators, including legal action. With this model, the issue of self-reporting is mitigated and an incentive to keep one’s system secure is clearly defined. Through this method, society will be one step closer to holding operators accountable for their digital security.

Going back to that late Friday night in Oldsmar, Florida, it is important to recognize that this could have had far worse consequences, both on innocent people and on the negligent operator who did not follow even the most basic of cybersecurity update procedures. Yet, the latter was able to escape with no accountability. By writing and legally enforcing cyber safety laws for infrastructure operators, in a world where operators are becoming increasingly reliant on technology connected to the internet, it is imperative that this issue gets the attention it needs from both the private and public sector [7]. It is not a matter of if, but when, the next crippling infrastructure cyber attack will occur and with the proper proactive legal framework in place, we can and should be prepared.

Bibliography
[1] Margolin, J., & Pereira, I. (2021, February 11). Outdated computer system exploited in Florida water treatment plant hack. Retrieved April 13, 2021, from https://abcnews.go.com/US/outdated-computer-system-exploited-florida-water-treatment-plant/story?id=75805550
[2] Research, G. (2021, February 16). SCADA hack on Florida water plant a reminder of risk to critical infrastructure posed by cyberattacks. Retrieved April 13, 2021, from https://www.verdict.co.uk/water-cybersecurity-scada-hack/
[3] Seals, T. (2020, July 24). Nsa urgently warns on industrial cyberattacks, triconex critical bug. Retrieved April 13, 2021, from https://threatpost.com/nsa-urgent-warning-industrial-cyberattacks-triconex/157723/
[4] Newman, L. (2018, January 19). Triton malware details show the dangers of industrial System Sabotage. Retrieved April 13, 2021, from https://www.wired.com/story/triton-malware-dangers-industrial-system-sabotage/
[5] Benady, D. (2021, March 16). Middle East's critical infrastructure faces cyberattacks while digital transformation fuels data theft. Retrieved April 13, 2021, from https://www.idgconnect.com/article/3611209/middle-easts-critical-infrastructure-faces-cyberattacks-while-digital-transformation-fuels-data-the.html
[6] Martin, A. (2021, March 23). UK cyber security law forcing energy companies to REPORT hacks has led to no reports, despite numerous hacks. Retrieved April 13, 2021, from https://news.sky.com/story/uk-cyber-security-law-forcing-energy-companies-to-report-hacks-has-led-to-no-reports-despite-numerous-hacks-12254296
[7] Duric, A. (2021, March 15). 3 ways agencies can restore CYBERSECURITY TRUST. Retrieved April 13, 2021, from https://gcn.com/articles/2021/03/15/secure-infrastructure.aspx
The opinions and views expressed in this publication are the opinions of the designated authors and do not reflect the opinions or views of the Penn Undergraduate Law Journal, our staff, or our clients.

0 Comments

Your comment will be posted after it is approved.


Leave a Reply.


    Categories

    All
    Aaron Tsui
    Akshita Tiwary
    Alana Bess
    Alana Mattei
    Albert Manfredi
    Alexander Saeedy
    Alexandra Aaron
    Alexandra Kanan
    Alexandra Kerrigan
    Alice Giannini
    Alicia Augustin
    Alicia Kysar
    Ally Kalishman
    Ally Margolis
    Alya Abbassian
    Amanda Damayanti
    Anika Prakash
    Anna Schwartz
    Arshiya Pant
    Ashley Kim
    Astha Pandey
    Audrey Pan
    Benjamin Ng'aru
    Brónach Rafferty
    Bryce Klehm
    Cary Holley
    Catherine Tang
    Christina Gunzenhauser
    Christine Mitchell
    Christopher Brown
    Clarissa Alvarez
    Cole Borlee
    Connor Gallagher
    Dan Spinelli
    Dan Zhang
    David Katz
    Davis Berlind
    Derek Willie
    Dhilan Lavu
    Edgar Palomino
    Edna Simbi
    Ella Jewell
    Ella Sohn
    Emma Davies
    Esther Lee
    Evelyn Bond
    Filzah Belal
    Frank Geng
    Gabrielle Cohen
    Gabriel Maliha
    Georgia Ray
    Graham Reynolds
    Habib Olapade
    Hailie Goldsmith
    Haley Son
    Hannah Steinberg
    Harshit Rai
    Hennessis Umacta
    Henry Lininger
    Hetal Doshi
    Ingrid Holmquist
    Iris Zhang
    Irtaza Ali
    Isabela Baghdady
    Ishita Chakrabarty
    Jack Burgess
    Jessica "Lulu" Lipman
    Joe Anderson
    Jonathan Lahdo
    Jonathan Stahl
    Joseph Squillaro
    Justin Yang
    Kaitlyn Rentala
    Kanishka Bhukya
    Katie Kaufman
    Kelly Liang
    Keshav Sharma
    Ketaki Gujar
    Khlood Awan
    Lauren Pak
    Lavi Ben Dor
    Libby Rozbruch
    Lindsey Li
    Luis Bravo
    Lyan Casamalhuapa
    Lyndsey Reeve
    Madeline Decker
    Maja Cvjetanovic
    Maliha Farrooz
    Marco DiLeonardo
    Margaret Lu
    Matthew Caulfield
    Michael Keshmiri
    Michael Merolla
    Mina Nur Basmaci
    Muskan Mumtaz
    Natalie Peelish
    Natasha Darlington
    Natasha Kang
    Nathan Liu
    Nayeon Kim
    Nicholas Parsons
    Nicholas Williams
    Nicole Greenstein
    Nicole Patel
    Nihal Sahu
    Omar Khoury
    Owen Voutsinas Klose
    Owen Voutsinas-Klose
    Paula Vekker
    Pheby Liu
    Pragat Patel
    Rachel Bina
    Rachel Gu
    Rachel Pomerantz
    Rebecca Heilweil
    Regina Salmons
    Sajan Srivastava
    Samantha Graines
    Sandeep Suresh
    Sanjay Dureseti
    Sarah Simon
    Saranya Das Sharma
    Saranya Sharma
    Sasha Bryski
    Saxon Bryant
    Sean Foley
    Sebastian Bates
    Serena Camici
    Shahana Banerjee
    Shannon Alvino
    Shiven Sharma
    Siddarth Sethi
    Sneha Parthasarathy
    Sneha Sharma
    Sophie Lovering
    Steven Jacobson
    Suaida Firoze
    Suprateek Neogi
    Takane Shoji
    Tanner Bowen
    Taryn MacKinney
    Thomas Cribbins
    Todd Costa
    Tyler Larkworthy
    Tyler Ringhofer
    Vatsal Patel
    Vikram Balasubramanian
    Vishwajeet Deshmukh
    Wajeeha Ahmad
    Yeonhwa Lee

    Archives

    April 2025
    March 2025
    February 2025
    January 2025
    December 2024
    November 2024
    September 2024
    May 2024
    April 2024
    January 2024
    December 2023
    November 2023
    May 2023
    March 2023
    January 2023
    December 2022
    November 2022
    September 2022
    June 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    May 2019
    April 2019
    March 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    December 2017
    November 2017
    October 2017
    August 2017
    July 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    April 2016
    March 2016
    February 2016
    December 2015
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    November 2014
    October 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    December 2013
    November 2013
    October 2013
    September 2013

Powered by Create your own unique website with customizable templates.