On Feb. 8 the news broke that a hacker compromised a water treatment facility system in Florida via remote access software TeamsViewer and used their access to increase the Sodium Hydroxide in the water to dangerous, poisonous levels.
Thankfully the situation was avoided when an employee noticed actions being executed on the computer and followed what changes were being made and quickly reversed them.
This was a real-world incident where digital hacking could've had a direct, life-threating impact.
We heard from cybersecurity experts that are adept at ICS/critical infrastructure security on what this attack means for the industry and what lessons can be learned from it.
Lynsey Wolf, Senior Counter-Insider Threat Analyst, Security and Business Intelligence at DTEX Systems:
“Critical infrastructure is a continuously running, vital asset. Thankfully, in the attack against the water treatment facility in Oldsmar, Florida, the plant operator witnessed the malicious actor remotely access the company’s system in real-time, so was able to immediately remediate their actions. The question providers of critical infrastructure need to be asking themselves is, if this were to happen within their organization during the hours that the plant operator was not monitoring their computer, would they have caught this attack before any real, life-threatening damage was done?
The moment an outsider breaches an organization they become an “insider” threat. It’s crucial that organizations monitor employee behavior to gather workforce cyber intelligence, so that when anomalous behavior occurs that strays from the norm of what an individual would typically do day-to-day, IT teams can be alerted and immediately respond. This is has grown to be increasingly difficult to manage and identify with the shift to remote work – as this case with the water treatment facility in FL has shown – so it’s crucial now more than ever for organizations to respond with solutions that can protect their organization, their employees and their customers.”
Gil Kirkpatrick, Chief Architect at Semperis:
"There continues to be a mindset in the public and even in the infosec community that the effects of cybercrime are primarily digital: individuals lose access to their files, companies aren't able to operate efficiently, or in the worst case (as in the Ukraine) neighborhoods lose power for a while. Even though the Maersk NotPetya attack had visible physical universe effects (shipping terminals were unable to open gates to allow trucks in or out), these effects were economically damaging, but certainly not life-threatening. This attack on the Oldsmar City water treatment system has to be a wake-up call for the industry and for the public. The risk is real. Cyber criminals can kill people, they can kill them remotely, they can kill them indiscriminately and at scale, and they can do so with a high likelihood of impunity. We as an industry have to wake up to this risk and design, implement, and operate our systems with a cyber-first mindset before the unthinkable happens. Lives depend on it."
Gary Kinghorn, Marketing Director at Tempered Networks:
"Yesterday's hack of the Oldsmar, Florida water treatment plant again highlights the importance of maintaining critical infrastructure with a virtual air-gap (being off the network) from remote access. These systems should not be reachable by unauthorized attackers because of the sophistication of modern penetration tools and the complexity of these systems to make them completely free of vulnerabilities. Traditional firewalls and other remote access or VPN solutions are proving inadequate against these threats. We need to block any unauthorized access from ever reaching these critical and life maintaining systems while still allowing authorized, fully identified users remote access through secure tunnels using military-grade encryption. We have many such water districts using our solution for just these types of scenarios."
Eddie Habibi, Founder at PAS, now part of Hexagon:
"The news that a hacker infiltrated a water treatment facility in Florida and changed a configuration setting to increase the volume of a dangerous chemical (lye) has rightly been greeted with concern by the media and cybersecurity community. The cyber threat to critical infrastructure has been increasing steadily as hackers, whether nation-state actors, criminal enterprises, or lone individuals better understand how to exploit operational technology (OT) in addition to IT systems. While much of the coverage of the cyber risk to critical infrastructure to date has focused on the age of many industrial control systems and the fact that they were not designed and deployed with security in mind, in this case, the attack vector appears to have been the increased level of remote access enabled by the Florida county.
In the rush to support remote operations during the global pandemic, there are very likely many organizations who have increased remote access to industrial engineering workstations and operator consoles. Fortunately, in this case, there was a vigilant operator who noticed the 111x increase in the chemical (from 100ppm to 11,100ppm) and was able to take quick corrective action to return the configuration setting to its prior level. While industrial espionage remains a significant threat (not all cyber attacks are focused on disruption), the worst fears of many in the OT cybersecurity community were realized in this episode; namely, changing a configuration setting to harm the community served by the facility. It is a poignant reminder that the best foundation for effective OT cybersecurity is a detailed and broad asset inventory that includes relationships and dependencies among OT systems and a baseline of configuration settings. With this in place, risk assessment is far more informed, enabling organizations to more effectively assign and limit remote access at both the system and account levels. Indeed, the combination of an up-to-date asset inventory and risk-based remote access management policies is more critical now than ever before, as it enables both reduced risk as well as faster recovery in the event of an unauthorized change."
Hitesh Sheth, President and CEO at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers:
“We rarely see retaliation in these cases for good reason. It’s extremely challenging to confirm the culprits. An attack can seem to bear the signature of some known adversary, but be packed with digital red herrings to obscure its origins. Placing blame usually means placing a bet. Our time is generally more wisely spent upgrading cyber defenses.”
Dirk Schrader, Global Vice President at New Net Technologies (NNT), a Naples, Florida-based provider of cybersecurity and compliance software:
“Remote sessions tools, such as TeamViewer or Remote Desktop Protocol (RDP), should never be accessible from the outside. In this case, it seems that this was the case, likely combined with weak or easy to guess passwords.
If these tools are in place an organization should have all precautionary measures in place to verify the settings, keep them in accordance with NIST or CIS controls, monitor the access and control any change happening to the device with this tools installed. Unfortunately, this is not always the case and attackers seem to have an easy play to get access to critical systems. It is easy to find about 250 systems using these tools connected the public internet, and within two minutes, to have access to an unprotected system belonging to a water utility provider in Florida. Previous research, including the Solarium report, have documented that Critical Infrastructures are vulnerable, and sometimes it is not hard at all to get access to one provider. That status is the same across all critical sectors including healthcare.
Whether there are any access logs available in this incident is an open issue. However, the original statement seems to indicate that there are none and identification and attribution will be difficult.”