All cyberattacks are scary. However, when the attack threatens the potential safety of thousands of people, the reality of the threat hits home. This is exactly what happened in the Florida city of Oldsmar when hackers attempted to poison the city’s water supply, an event announced on Monday.
The hackers used the remote access software TeamViewer (used for IT remote control, desktop sharing, online meetings, web conferencing and file transfer between computers) to make malicious changes to the water supply chemical treatment.
Unfortunately, water is one of the most at-risk critical infrastructure sectors today. As such, industrial control system (ICS) vulnerability disclosures impacting the sector have increased significantly year-over-year. “As noted in our Biannual ICS Risk & Vulnerability Report released a few days ago, the Claroty Research Team found that ICS vulnerabilities disclosed during the second half (2H) of 2020 increased by 54% from 2H 2019 and 63% from 2H 2018 in water and wastewater, says Grant Geyer, chief product officer at industrial cybersecurity company Claroty, in a statement.
“Due to the long depreciation period of equipment in critical infrastructure environments, technology obsolescence and the security accompanying security vulnerabilities is a common occurrence,” says Geyer. “Additionally, many water utilities are small entities and are under-resourced, making the challenge of developing a robust security program that much more challenging.”
With President Biden publicly chastising Russia in a recent press conference and threatening economic sanctions as a result of previous nation-state campaigns, the timing of this attack is interesting, explains Richard Cassidy, senior director of security strategy at Exabeam.
“Critical national infrastructure (CNI) is at the top of the target list for nation-state attacks, given the political and socioeconomic impact if successful – even in part. It’s incredibly fortunate that a diligent member of staff noted the anomalous activity and corrected it. That said, what we’ve seen exemplified here is that the need to understand and baseline normal in terms of critical asset/system access is absolutely key,” says Cassidy.
The attack against the City of Oldsmar’s water treatment system is what OT nightmares are made of, explains Marty Edward, vice president of OT at cybersecurity firm Tenable and the DHS CERT director under the Obama administration, in a statement.
“If successful, the damages of the attack would have been catastrophic. This story highlights just how quickly and covertly a subtle, and potentially deadly, change can be made. This is precisely why the security community has been warning about the rising threats to OT for the last decade-plus,” says Edward. “The days of isolated OT networks are long gone. In its place is a highly dynamic and complex environment of smart OT technology, modern IT and everything in between. Attackers have capitalized on these converged networks to move laterally from one system to another, making the compromise of just one device even more dangerous.”
Geyer adds, “The solution is not as simple as eliminating remote access to such high-stakes environments. The nature of our increasingly digitized world, especially with the shift to remote work caused by the pandemic, makes remote access a requirement – even in critical infrastructure,” says Geyer. “This isn’t a should we or shouldn’t we discussion – it’s coming at us. The key is how remote access can be implemented securely, so that we can stop these attacks – which will inevitably continue to happen – before the damage is done.”
“User accounts and credentials used to authenticate locally on the workstation and for remote access software should be changed frequently and utilize multi-factor authentication,” says Karl Sigler, senior security research manager, SpiderLabs at Trustwave, in a statement.
According to Cassidy, regardless of whether systems in operational technology (OT) environments are air-gapped or not, if there’s a digital route to the system, then it’s at risk. “We’ve got to ensure we are monitoring OT systems far more diligently by capturing all viable log data in terms of access control, system settings and maintenance. Any abnormality — regardless of how small — should be investigated, triaged and managed accordingly. Relying on users alone for the protection of our CNI systems does not (and will not) scale,” says Cassidy. “Working smarter with automation technologies in managing large volumes of data streams, analyzing them for anomalies and reporting risk in real time, is the only way forward for CNI protection. This, in partnership with continued user education in being diligent and applying critical thinking analysis to system activity reports, is critical. We might not be so lucky next time.”
“Luckily, the plant operators were able to detect the unauthorized changes to the sodium hydroxide levels immediately. Had it not been for their quick actions, this story could have ended very differently,” says Edward. “All organizations that operate critical infrastructure, such as water supplies, must invest in the people, processes and technology required to keep these systems safe. This wasn’t the first attack of its kind and it certainly won’t be the last.”