The person who broke into a Florida water treatment plant and increased the concentration of a chemical likely wasn’t an experienced attacker, argues a senior security researcher with Domain Tools.
The attack “was either immature, rushed, or potentially unintentional,” Joe Slowik wrote in an analysis on Thursday.
It was just one of several analyses of the scary incident that the City of Oldsmar publicized on Monday.
Slowik came to his conclusion by considering three facts:
- Events took place during normal operational hours where personnel were on-hand and available to quickly respond;
- The intruder did not attempt to hide or mask their activity through interaction with or overwrite of HMI (human-machine interface) systems or spoofing of sensor data;
- The modification to sodium hydroxide levels was so extreme as to almost certainly trigger engineering or other non-ICS (industrial control system) controls or alarms within the environment.
“Although the incident resulted in neither significant disruption nor outright damage, the simple fact that some unknown entity attempted the above action is deeply concerning, reflecting either callousness given the potential harm, or ignorance as to what the attempted change might have produced in the serviced population,” he added.
According to statements from the city and news reports, someone accessed the water plant management system through the remote access software TeamViewer and boosted the amount of sodium hydroxide (lye) in the water treatment system. News reports say the access password was shared among a number of employees. A plant worker noticed the manipulation of the sodium hydroxide on his screen and when the attacker returned the level to its proper point.
While crafting a conclusion, Slowik looked at four well-known cyberattacks on ICS systems:
The 2009 Stuxnet attack on Iran’s centrifuges at a nuclear enrichment plant. “The critical item enabling Stuxnet’s success was the malware’s ability to induce a general loss or denial of view condition in the victim environment. In this specific case, the malware recorded “normal” plant operations then played these recordings back to monitoring systems during physical attack sequences to mask events from plant operators. Absent this critical step, operators would have been able to detect anomalous operations in the plant environment enabling intervention and process diagnosis;
The 2015 attack on Ukraine’s power grid which caused a widespread blackout. For that operations to succeed, Slowik said, plant personnel had to be locked out of their workstations to prevent operator intervention during the initial phases of the attack. Then wiper malware removed remote operational control, after which a malicious firmware update to serial-to-ethernet converters made communicating with equipment impossible. Six Russians military intelligence members have been accused of being behind this and other attacks;
The 2016 attack on Ukraine’s power grid. The incident again wiped control systems to induce loss of control, Slowik says, although it was also likely aimed at a loss of view condition as well to enable a potentially destructive (if failed) physical damage scenario. “In this particular case, removing operator logical control (to force manual operations) combined with loss of logical view into the health and status of the system was used in sequence to enable a process protection-focused attack scenario. Absent these conditions, it would be highly unlikely for the sequence of events required to restore operations in an unprotected, unsafe state (enabling possible destruction) would materialize;”
The 2017 attack on a petrochemical plant in Saudi Arabia led to multiple unexpected plant shutdowns due to the plant’s safety instrumented systems (SIS) tripping for then-unknown reasons. Using purpose-built malware the goal was to enable undetected, arbitrary modification of SIS parameters, says Slowik. Combined with access elsewhere in the plant environment, an attacker could remove or alter safety controls to induce physical damage. But to succeed the attacker had to alter parameters without operators knowing such changes took place.
“In all four examples the attacks required some mechanism to hide from operators or deny their ability to correct or mitigate changes made to operating parameters,” Slowik wrote. The Oldsmar attacker didn’t do that.
Still, the incident highlights the real risks and dangers associated with remote access to critical infrastructure systems, he said. Removing or curtailing remote access is unrealistic, he argues, given the needs of organizations to control widely spread devices and vendor maintenance needs.
Instead, he suggests mitigations:
- Create or buy a purpose-built bastion or “jumphost” in-between remote access software and an HMI to provide a single, hardened point for remote access and monitoring. Slowik says by using different sets of credentials for the bastion host to the internal network and system authentication, security can be increased further because password brute-forcing or credential capture for the bastion won’t enable immediate follow-on access to other systems in the network.
- Network segmentation, access controls, and sound network engineering can work in concert to reduce the overall attack surface to a limited number of defensible nodes (such as the bastion), while also facilitating monitoring of activity to a smaller set of devices. Robust multi-factor authentication will help even more.
- Use network security monitoring (NSM) and traffic analysis to build an intelligence picture of traffic flows and communications.
Through a combination of network hardening, attack surface reduction, network segmentation, and NSM with indicator enrichment, defenders can dramatically reduce the likelihood of successful attacks, says Slowik, significantly reduce their efficacy, or increase the likelihood of identifying such activity at relatively early stages.
More advice from CISA
In its notice, CISA advised water treatment facilities to install independent cyber-physical safety systems that physically prevent dangerous conditions from occurring if a control system is compromised by a threat actor. These controls can include the size of a chemical pump or reservoir, the gearing on valves and pressure switches.
The agency also offered this advice to better secure TeamViewer:
- Do not use unattended access features, such as “Start TeamViewer with Windows” and “Grant easy access.”
- Configure TeamViewer service to “manual start,” so that the application and associated background services are stopped when not in use.
- Set random passwords to generate 10-character alphanumeric passwords.
- If using personal passwords, utilize complex rotating passwords of varying lengths. Note: TeamViewer allows users to change connection passwords for each new session. If an end-user chooses this option, never save connection passwords as an option as they can be leveraged for persistence.
- When configuring access control for a host, utilize custom settings to tier the access a remote party may attempt to acquire.
- Require remote party to receive confirmation from the host to gain any access other than “view only.” Doing so will ensure that, if an unauthorized party is able to connect via TeamViewer, they will only see a locked screen and will not have keyboard control.
- Utilize the ‘Block and Allow’ list which enables a user to control which other organizational users of TeamViewer may request access to the system. This list can also be used to block users suspected of unauthorized access.
