Digital Rust: Why a Legal Framework for Declining Infrastructure Cybersecurity is More Important Than Ever

By Joseph Squillaro
​
Joseph M. Squillaro is a member of the Class of 2022 at the University of Pennsylvania studying Philosophy, Politics and Economics (PPE) with a concentration in cyber policy and Internet law, and is both a writer and an editor for the Penn Undergraduate Law Journal.

While most of the United States was preparing to watch the Tampa Bay Buccaneers take on the Kansas City Chiefs at Super Bowl LV in Tampa, Florida, a much more sinister scene was unfolding a few miles away in the small bedroom community town of Oldsmar, FL on February 5th, 2021. At the municipal Bruce T. Haddock Water Treatment Plant, responsible for providing the town with fresh drinking water, a skeleton crew was assigned that Friday night, a shift that is typically as uneventful as the taste of water itself. Little did these employees know, however, that the plant was under attack, not by a physical intruder, but a digital one that was able to gain control of the plant’s controls via the internet. Covertly, malicious hackers were able to gain access to the plant’s Windows 7 computer systems via a tool called TeamViewer, which is typically used to give remote access to employees, especially during the COVID-19 pandemic [1]. Typically, this type of attack would be stopped via modern antivirus software, but the operator was using significantly older operating systems which were never updated for necessary security patches. Furthermore, there was no adequate training to plant personnel about how software programs like TeamViewer could pose a risk. From there, because the computers and the plant control system were not air gapped (a modern protocol where two systems are not digitally connected to prevent unauthorized access), the hackers were able to access the Supervisory Control and Data Acquisition (SCADA) system and raise the lye concentration (the active component in drain cleaner which is used in small quantities to remove metals in wastewater) from 100 parts per million to 11,100 parts per million. If successful, the trusted tap water of Oldsmar would have become incredibly deadly. Luckily, an astute worker noticed the toxic change, took the system offline and reverted the lye concentration. While this situation had a positive outcome for Oldsmar, the situation could have become significantly worse and despite an FBI investigation, no credible leads were found to hold the attempted-murderers accountable [2]. This incident brings to light the scary reality that our infrastructure systems, which are becoming increasingly reliant on internet-connected computing, are vulnerable to cyberattack and there is little to no effective regulatory policy for the operators of infrastructure who are negligent in maintaining their cyber defenses.

Not a New Phenomenon
​
Cyberattacks on a piece of infrastructure’s SCADA systems are not new. In 2017, an unnamed gas refinery plant in the Middle East had its SCADA systems overridden via a malware attack called TRITON, aptly named after it exploited vulnerabilities within the Triconex Tricon industrial security system. With no security measures in place due to the security system being deactivated, the refinery was at risk of unmitigated gas line explosions, which would have led to certain death for hundreds of employees [3]. Similar to the events in Oldsmar, the attack was thwarted and the hacker was never able to be identified. In the world of cybersecurity, the objective has shifted in the last decade away from finding cyber culprits and towards better preventative and protective measures for would-be targets. Despite the increasing frequency of such attacks, infrastructure operators are reluctant to add these measures due to their high cost and a “it won't happen to us” attitude [4]. But at some point it will and the legal system must develop ways to hold negligent operators accountable, most certainly in successful attacks, but also in those where the system was breached like in Oldsmar.

The Problem with the Existing Legal Framework

Currently, the law in many countries such as the U.S. concerning industrial cyber attacks is mostly informative in nature. For example, an operator is compelled to file an incident report if they face an attack [5]. However with no enforcement mechanism or clear punitive measures, behavioral economics dictates it is more cost effective to simply not file a report and risk being caught, an unlikely phenomenon due to little government resources spent on investigations. Operators choose to evade filing a report because it opens their plant up to further scrutiny, likely leading to significant costs to fix and possibly have their license revoked. We can see this first hand in the U.K. where a 2018 cyber law forces energy companies to inform the government of cyber breaches. Despite independent investigators discovering hundreds of such breaches in the time since the law was enacted, no official reports were ever filed, completely circumventing the point of the law in the first place [6]. With no reports ever filed for the government to conduct a proper investigation, no penalties levied to dissuade such corporate behavior, and no action taken to better secure one’s systems, it is only a matter of time before an incident like Oldsmar becomes successful and kills hundreds or thousands of innocent lives.

Keeping Our Infrastructure Digitally Accountable

Instead of a laissez-faire approach toward digital infrastructure security laws, governments around the world, both national and local, must take proactive, rather than reactive, action. A current effective model that could possibly be the archetype for the future of digital infrastructure security is that of various local health departments. For example, in New York City, restaurants are randomly visited by health inspectors who ensure the establishment is in compliance with health codes defined by law and if violations are found, fines are imposed and improvements must be made for them to reopen. With infrastructure operators, random cybersecurity protocol audits can be conducted with similar actions levied against violators, including legal action. With this model, the issue of self-reporting is mitigated and an incentive to keep one’s system secure is clearly defined. Through this method, society will be one step closer to holding operators accountable for their digital security.

Going back to that late Friday night in Oldsmar, Florida, it is important to recognize that this could have had far worse consequences, both on innocent people and on the negligent operator who did not follow even the most basic of cybersecurity update procedures. Yet, the latter was able to escape with no accountability. By writing and legally enforcing cyber safety laws for infrastructure operators, in a world where operators are becoming increasingly reliant on technology connected to the internet, it is imperative that this issue gets the attention it needs from both the private and public sector [7]. It is not a matter of if, but when, the next crippling infrastructure cyber attack will occur and with the proper proactive legal framework in place, we can and should be prepared.

Bibliography
[1] Margolin, J., & Pereira, I. (2021, February 11). Outdated computer system exploited in Florida water treatment plant hack. Retrieved April 13, 2021, from https://abcnews.go.com/US/outdated-computer-system-exploited-florida-water-treatment-plant/story?id=75805550
[2] Research, G. (2021, February 16). SCADA hack on Florida water plant a reminder of risk to critical infrastructure posed by cyberattacks. Retrieved April 13, 2021, from https://www.verdict.co.uk/water-cybersecurity-scada-hack/
[3] Seals, T. (2020, July 24). Nsa urgently warns on industrial cyberattacks, triconex critical bug. Retrieved April 13, 2021, from https://threatpost.com/nsa-urgent-warning-industrial-cyberattacks-triconex/157723/
[4] Newman, L. (2018, January 19). Triton malware details show the dangers of industrial System Sabotage. Retrieved April 13, 2021, from https://www.wired.com/story/triton-malware-dangers-industrial-system-sabotage/
[5] Benady, D. (2021, March 16). Middle East's critical infrastructure faces cyberattacks while digital transformation fuels data theft. Retrieved April 13, 2021, from https://www.idgconnect.com/article/3611209/middle-easts-critical-infrastructure-faces-cyberattacks-while-digital-transformation-fuels-data-the.html
[6] Martin, A. (2021, March 23). UK cyber security law forcing energy companies to REPORT hacks has led to no reports, despite numerous hacks. Retrieved April 13, 2021, from https://news.sky.com/story/uk-cyber-security-law-forcing-energy-companies-to-report-hacks-has-led-to-no-reports-despite-numerous-hacks-12254296
[7] Duric, A. (2021, March 15). 3 ways agencies can restore CYBERSECURITY TRUST. Retrieved April 13, 2021, from https://gcn.com/articles/2021/03/15/secure-infrastructure.aspx
The opinions and views expressed in this publication are the opinions of the designated authors and do not reflect the opinions or views of the Penn Undergraduate Law Journal, our staff, or our clients.