A Water District in Florida was Hacked - Here's What Went Wrong and How Similar Incidents Can Be Prevented
Cybersecurity experts agree the Oldsmar attack was easily preventable and this raises a "Red Flag" for critical infrastructure across the United States
Ready to make sure your organization is properly protected against similar cyber attacks or other disasters?
What exactly happened to the Water Treatment Plant in Oldsmar, Florida?
Details are still be clarified, but here’s what we know:
On February 5, 2021, the Oldsmar water treatment plant faced an initial intrusion by an unknown cyber attacker at 8:00 am. A second intrusion occurred at 1:30 pm, during which a plant operator noticed a drastic change in the chemical mix being used to treat the water. The attacker was inside the system for less than five minutes, and the plant operator reversed the chemical change immediately. The Pinellas County Sheriff insisted “the public was never in danger.”
The cyber attack was targeting the chemical balance of the water, presumably to poison the city’s approximately 15,000 residents. The Oldsmar plant operator who reversed the changes caused during the attack said levels of sodium hydroxide (commonly referred to as Lye) were raised from 100 parts per million to 11,100 parts per million, a dose that could cause complications such as irritation, burning, vomiting, and even death.
So how did the breach occur?
The unknown attacker was most likely able to breach the system via a remote access software known as TeamViewer. According to CSO, the software has a history of being insecure, but this was likely the most affordable option for an underfunded public utility that needed to develop a work-from-home solution amidst the Covid-19 pandemic.
Local authorities claim the attacker was unable to cause any significant adverse affects on the water being treated, since the attack lasted less than five minutes.
Still, a breach into any critical infrastructure district is already too much. According to an article from the Tampa Bay Times, this hacker got farther than any other attempt to physically impact critical infrastructure in the US.
What are 3 key ways to easily defend against this type of attack?
First, let’s qualify “easily.” Hindsight is always 20/20. If you had the knowledge on where to “put your foot down,” and what to prohibit on your network, it would have been much “easier” to apply that knowledge and defend against such attacks. Could preventing this attack have been easy? Sure, the steps are simple in themselves. Much like a camper preventing a forest fire or a boater avoiding disaster when going out into the ocean. It takes planning, diligence, and a commitment to operate safely. However, “easily preventable” issues often cause forests to burn down and boats to capsize. As you read on, it becomes evident that a security policy likely did not govern decisions that were made, and a hacker walked through an open door.
There is an ongoing investigation to determine who the attacker was. The Pinellas County Sheriff’s Department, the FBI, and the Secret Service are all looking into the attack. There is no evidence to conclude whether the attacker was in or outside the US, and it is unclear why Oldsmar, Florida would have been targeted specifically.
Despite a lack of clarification from the agencies investigating the attack, CSO says it is unlikely the attacker was backed by a nation-state or other group and much more likely that this was an “amateur operation that’s likely a crime of opportunity.”
Former CIO of LADWP Matt Lampe contributed, suggesting a more advanced attacker would have taken out some of the plant’s other security measures, like the pH sensors.
This only makes the incident that much more alarming. If an amateur attacker was able to breach critical infrastructure this easily, that raises a national security concern. At a local, state, and federal level, there needs to be more concern about cybersecurity for critical infrastructure.
I will be asking the @FBI to provide all assistance necessary in investigating an attempt to poison the water supply of a #Florida city.
— Marco Rubio (@marcorubio) February 8, 2021
This should be treated as a matter of national security.
https://t.co/XhGNLplNpr via @vice
"Easy" Defense Step #1: Choose your remote access solution wisely.
If TeamViewer wasn’t installed, the attack probably wouldn’t have happened. ANY remote control tool accessible from the Internet has a risk of being compromised. But this is *especially* the case with remote control software that creates a continuous outbound tunnel from Desktop to the Cloud 24x7 (whether encrypted or not), bypassing VPNs and network security, waiting for a request to control the machine it is tied to. Any compromise of security credentials, or a compromise of the software vendor itself leaves you open to unauthorized access from anywhere, anytime. Bots are built to look for holes and if you leave one open, someone will find it. We recommend all remote access first be authenticated into an isolated VPN, and that the remote control solution be vetted properly.
What does the Oldsmar attack mean for cybersecurity?
The attack in Oldsmar was possible because of the remote access software TeamViewer, which was being used during the pandemic to allow engineers to troubleshoot problems from other locations. The problem with critical infrastructure districts using this kind of software is the lack of security surrounding it.
CSO explains that the attacker accessed an Industrial Controls System (ICS) remotely, likely using stolen or lost credentials.
Pinellas County Sheriff Bob Gualtieri emphasized during a press conference that public utilities systems are part of the nation’s critical infrastructure and as such present targets for these kinds of attacks.
A good point, which raises the question: why was this important SCADA system not properly secured? This is a concern for critical infrastructure everywhere.
Cybersecurity experts are saying this evident lack of multi-factor authentication and remote access software essentially made the attack “the equivalent of walking through and unlocked front door.”
Local officials stand by the additional safeguards — like the pH sensors — that would have noticed the change even if the plant operator on duty hadn’t but five minutes inside a SCADA system is too long.
"Easy" Defense Step #2: Require Multi-Factor Authentication.
The Dark Web contains millions of records containing compromised email addresses, usernames, associated URLs, and passwords. In addition, credentials can be stolen, guessed, or brute-forced. Implementing MFA is a relatively easy way to improve security and insulate your organization from lost, stolen, or weak credentials.
The transition from modbus and other "closed" networks for SCADA systems to the more "open" IP based systems has introduced a level of vulnerability into the national infrastructure of water supply and wastewater treatment systems that is unavoidable but can be mitigated with proper controls. As experts in network design and industrial networks, we can assist with the segmentation, isolation, and control of these IP based SCADA networks.
Richard Pressler
AllConnected CTO and Chief Architect
"Easy" Defense Step #3: Invest in outside expertise.
A cyber-security assessment can help expose critical risks and gaps to executive management. We often hear ‘there’s no budget’. Yet a breach increases the cost many times and forces the budget conversation that should have happened earlier. It reminds us of the quote ‘If you think it’s expensive to hire a professional to do the job, wait until you hire an amateur’. Identifying the gaps in your infrastructure, and prioritizing those gaps based on risk helps you to make good and important decisions in regard to the infrastructure you are responsible for. New risks are always emerging, and a recurring methodical review is essential.
How are cyber attacks like the one at the Oldsmar water treatment plant prevented?
This particular attack was incredibly easy. The system probably never should have been using the remote access software in question, but TeamViewer has yet to confirm the breach was caused because of their product.
According to a statement released by TeamViewer, the company is aware of the reports linking them to the attack but has no indication at this point that their software or platform has been compromised.
Now, according to CSO, the next steps should be identifying any other assets the organization has exposed to the internet and removing them from public networks or implementing other security measures.
So, what should Oldsmar’s SCADA system have had in place for the water treatment plant’s cybersecurity? AllConnected has put together a five-step approach below.
Five-Step Guide to Defend Critical Infrastructure Against Cyber Attacks
- Perform a Vulnerability Scan
- Implement Ongoing Training so Users Can Identify and Report Attempts at Social Engineering
- Re-Evaluate the Security and Auditing of Any Remote Access Methods
- Isolate Any Computer Systems that Cannot Be Updated
- Follow a Strict Program to Update Antivirus, Spam Filters, Firewalls, and Security Software
- BONUS: Partner with a Managed IT Services Provider to Ensure Your Organization has a Proper Cybersecurity and Incident Response Plan