Hello! I am Sean Bouchard with ICI Electrical Engineering and today we will be talking about the water system that was hacked in the town of Oldsmar, Florida. Let us break down this report and see what this is all about.
Oldsmar Florida News References:
Where is the risk?
In modern facilities, industrial software has a direct impact on business continuity, health, safety, and environment. Industrial software, and the corresponding physical systems that it controls, must be protected by an approach that includes considerations for its expected operation.
- A water treatment facility was hacked, and a Threat Actor was able to operate the SCADA system remotely to change the dosing rate of lye.
- How was this modification detected? An Operator noticed the mouse cursor moving on the screen that was interacting with the SCADA system during the SECOND noted intrusion attempt. What? The second time? As per The Wall Street Journal’s article, linked below, the first time it is noted that the Operator "didn't think much of it" because other Operators regularly connect to the system too.
- Another note in the reports indicates that the Threat Actor connected through TeamViewer… the municipality had recently switched to a new remote access software but left TeamViewer in place.
As we break this report down, we see how that it fits into the Defense in Depth architecture, highlighting just about every aspect. This appears to be a fairly low skill type of attack. Why? One. Because it involves off the shelf remote access tools, two, because this story is not about ransomware. There are many ways that this incident could have been avoided.
Defense in Depth – What applies?
- Access Control - Who has access to the system, it is granular?
- Cyber-Physical and Engineering - Why was it possible to set the lye dosing system to 11,100 PPM if the typical dose is 100 PPM?
- Policies & Procedures - Remove old software and track who has access.
- Patching - Update software, the software is only as good as its configuration.
What is TeamViewer?
TeamViewer is simply a remote access tool. It is a publicly available tool that is capable of very good security. They have free, non-commercial versions and paid commercial versions that are actively supported to provide remote desktop access to almost any type of computer.
There are typically two ways to connect to a TeamViewer installation. One, through a user account and password, and two, through a one-time access code that someone sitting at the physical computer can supply to the remote person. In addition, there are also capabilities to add a unique, second, system access, password to the specific computer that is being remotely accessed.
How does an "unauthorized" person connect to TeamViewer?
Easiest is through an authorized account. Are you tracking who has access through your remote access software? Are you sharing the same remote access credentials with multiple people? Do you know what types of remote access software are actually installed on your SCADA PC?
What about patching?
Since the TeamViewer installation was mothballed, it was likely not being checked for updates. TeamViewer software is fairly secure however, like every piece of software, there is a cat and mouse game of vulnerabilities being discovered and patched. There is a recent vulnerability announced that allows an attacker to obtain the system access password - however they would have had to been convinced to browse to a malicious website.
TLDR – What's the take away?
Be aware of who and how people connect to your system. Ask yourself these questions for your own facilities.
- Access control - based on the report, it appears that anyone with access to the SCADA workstation could interact with the physical system. Do you know who is has access to your systems?
- Where is the access control system, and why was it possible to actually set the dosing system from 100 parts per million to 11,100 parts per million. Is there a physical need for the system to be set to 11,100 PPM?
- The article mentions that Oldsmar recently changed remote access software, but they did not remove the old TeamViewer software. Who had access to the old installation? Previous employees? Contractors? What if one of their computers was hacked and they had the remote access passwords saved on it? If they were sharing logins to the Team view instance, it would be difficult to determine what or who the initial threat vector is!
Here at ICI our niche is Engineering and Securing Industrial Automation and Control Systems. Please feel free to reach out to us if you have any further questions regarding this article or the Industrial Cybersecurity of your facilities.