Infosec pros across North America are on alert after a threat actor hacked into the water treatment plant in a city near Tampa and changed the chemical balance used to treat drinking water consumed by 15,000 area residents.
Pinellas County Sheriff Bob Gualtieri told a news conference Monday that someone remotely accessed a computer for the City of Oldsmar water treatment system on Friday and briefly increased the amount of sodium hydroxide, also known as lye, by a factor of more than 100.
The Tampa Bay Times said the chemical is used in small amounts to control the acidity of water, but it’s also a corrosive compound commonly found in household cleaning supplies such as liquid drain cleaners.
Oldsmar’s water supply wasn’t affected because a supervisor working remotely saw the concentration being changed on his computer screen and immediately fixed it. The city also disabled the remote access system used in the attack.
Also:
Manufacturing spending billions on IoT, but still can’t patch Windows or remember passwords [Full story]
City officials said there are several safeguards to prevent contaminated water from entering the water supply.
News of the incident caught one Canadian expert off guard. “Something like this is rare where it has that type of success. It is a bit different from the constant [IT network] barraging of attacks you get,” said Greg Solecki, a Vancouver-based incident response plan consultant to Canadian water facilities and a former national chair of the Canadian Water and Wastewater Association’s emergency and security committee. The CWWA represents local water treatment providers.
On the other hand, Ed Dubrovsky, chief operating officer of the Toronto-based incident response firm Cytelligence, said he was “not surprised” to hear of the attack. He said his firm has seen 20 cyberattacks on municipalities that impacted or could have impacted all of their critical infrastructures, including water treatment. He agreed that many small Canadian municipalities are generally unprepared for cyberattacks.
What’s different about the Florida attack is it apparently wasn’t financially motivated, Dubrovsky said. Many attackers would have brought the water treatment system down and demanded money from the city to restore control. In Oldsmar, the motivation seemed to be to cause harm to people. He added that it could also have been a “proof of concept” for a threat actor.
According to Reuters, reporters were told the Oldsmar attacker leveraged the utility’s use of a remote access software called Team Viewer. It isn’t known if the attacker used a brute force attack to get credentials, acquired stolen credentials or exploited a vulnerability. Last August, a cybersecurity researcher at Praetorian discovered a high-risk vulnerability in TeamViewer for Windows (CVE-2020-13699). The vulnerability is due to the application not correctly quoting its custom URI handlers. If a user with an installed vulnerable version of TeamViewer is tricked into visiting a malicious website, the site could capture their hashed password for offline password cracking.
TeamViewer has released a patch for this vulnerability.
UPDATE: On Tuesday the FBI issued a notice saying the attacker “likely” accessed the system by exploiting a number of weaknesses including poor password security “and an outdated Windows 7 operating system,” in addition to “likely”using TeamViewer.
Massive red flags
However, news of the attack alarmed infosec pros, who have warned for some time about the risks of not properly securing IT systems in general from remote attacks and operational technology (OT) systems in utilities and factories that are open to the Internet.
“All systems used for critical networks like these should have very limited, if any, internet access,” said Karl Sigler, senior security research manager at Trustwave SpiderLabs. “User accounts and credentials used to authenticate locally on the workstation and for remote access software should be changed frequently and utilize multi-factor authentication. In this instance, it was lucky that the user was physically there to see the remote control and what settings had changed, but all critical activities should be audited, logged and monitored for abuse.”
Canadian consultant Solecki said he’s never heard of a Canadian water treatment facility attacked through a Windows remote access application.
Canadian water and wastewater treatment facilities are “quite aware of all of their hazards, risks and threats because in the past we have been diligent in sharing knowledge,” he said. In fact, the Canadian Water and Wastewater Association has recently been discussing with the federal government’s Canadian Centre for Cyber Security a national simulation of a cyberattack on water infrastructure.
However, he acknowledged, “the next step” to knowing about cyber risks is doing something about them. But the speed and variety of cyberattacks are constantly changing. “There needs to be vigilance on what the vulnerabilities are and, in parallel, how are we prepared to respond,” Solecki said.
Dubrovskysaid that if news reports are accurate and the Oldsmar employee could see the hacker moving around his desktop on the water treatment plant’s management console, that’s a massive red flag. “It tells me there is really zero controls,” he said.
He added infosec pros need to remember the majority of cyberattacks aren’t complex and can be easily thwarted.
“When we go in and start scoping a post-incident, it takes me literally from five to seven minutes to figure out what the attack vector was. In the majority of cases, it’s as simple as a VPN connection that didn’t have multifactor authentication or RDP (Microsoft remote desktop protocol) that was left open to the internet with very little additional controls that would stop an attacker from brute-forcing credentials,” he said.
The Oldsmar incident is another warning to organizations their operational networks have toughened. Years ago OT networks weren’t connected to the internet. However, in the past decade, utility and manufacturing plant managers have seen the potential of leveraging IT technologies for better oversight. That has induced industrial control system (ICS) manufacturers to offer more connected equipment.
At the same time, ICS experts have warned of the risks to connected critical infrastructures like water and electrical utilities, oil and gas suppliers and even municipal traffic light systems.
In 2012 IT World Canada carried a story quoting experts at a conference sponsored by the U.S. Department of Homeland Security warning of security ICS systems’ problems.
In 2015 the SANS Institute reported that one-third of 314 survey respondents who actively maintain, operate or provide consulting services to facilities maintaining ICS systems said their organization’s control system had been breached. Of those, 17 per cent acknowledged six or more breaches had occurred so far that year, up from nine per cent in all of 2014. Another 11.3 per cent said in 2015 they had suffered between six and 10 breaches, while 3.8 per cent thought they could have been breached up to 50 times.
