There was a time when “something in the water” conjured memories of the shark from Jaws. But a recently-reported cyber attack against a Florida water treatment facility means malicious hackers are the new danger in the water.
Although dire-sounding, failsafe mechanisms and quick action by a facility operator ensured that the water supply was not compromised and remained safe for consumption. However, the potentially catastrophic real-world impacts of critical infrastructure hacks highlight the need for action to address cybersecurity risks like misuse of remote access and outdated software.
There’s something in the water
According to the Pinellas County sheriff’s department, an unknown attacker was able to gain remote access to a computer system used by the city of Oldsmar for supervisory control and data acquisition (SCADA). These systems gather data from sensors in industrial machinery, such as PH sensors in water treatment tanks, and issue electronic commands to the machinery in response, like adding specific chemicals to balance the PH level of the water.
In this hack, an unknown actor was able to gain remote access to the facility’s SCADA system and adjust the amount of sodium hydroxide, a caustic chemical commonly known as lye, to over 100 times the normal level. In small amounts, the chemical safely treats water, but large quantities cause chemical burns.
Luckily a facility operator was sitting at the SCADA computer screen and saw the remote attacker take control of the mouse and keyboard. While this is part of standard procedure for remote support, the chemical level set by the attacker is well outside of normal limits, so the operator changed it back immediately. County officials stressed that other failsafe mechanisms exist which would have caught and corrected the change, such as chemical level and PH monitoring.
There are four major issues at play in this attack and others like it, including:
- Most obvious is the use of remote access. Like all technology capabilities, there are benefits and risks. In this case, the benefit involves remote operators who can monitor and control multiple sites without being physically present. The risk is, of course, that attackers can also gain remote access for malicious purposes. There is an inherent tradeoff between security and staff productivity.
- Possibly less obvious but equally important is the unfortunate truth that critical infrastructure is a high-profile target for hackers. These are often municipal systems with tight budgets, a focus on 100% operational uptime, and limited security. Attacks can have devastating real-world consequences like loss of power, flooding, and unsafe drinking water.
- Although details are scarce, there are indications that computers running outdated Windows 7 were a target of the attack. Microsoft ended support for Windows 7 in January 2020, meaning flaws and vulnerabilities are no longer being patched. Limited budgets and operational constraints, like no version of the SCADA available for newer versions of Windows, often hinder upgrades and increase risk.
- Reports indicate that a shared password was used for the TeamViewer remote access tool. Shared passwords or credentials present two fundamental problems: if everyone uses the same credentials to log in, there is no accountability — it’s impossible to tell who logged in. Second, and related, it’s harder to investigate when things go wrong. Knowing who logged in is a starting point for an investigation. Perhaps that user is disgruntled or fell victim to a phishing scam, and their credentials were compromised.
Safeguard your (digital) well
Sheriff Woody in Toy Story says, “Somebody’s poisoned the water hole!” but also “Reach for the sky!” when he finds the criminals. At Coalition, we recommend everybody have a digital sheriff keeping an eye on cyber risks, even if you aren’t in charge of critical infrastructure like water treatment or power generation.
Attacks against these organizations are potentially life-threatening. While attacks against most other organizations will not be as dire, they do pose serious challenges to you, your customers, and your community.
Here are our top tips to protect yourself from cyber attacks:
- Remote access: if it’s not needed, disable it! If it is a business requirement, controls must be in place to address risks, including Multi-factor Authentication (MFA), secure remote access tools (we generally recommend against RDP and RDWeb), and placing the remote resources behind a VPN, proxy, or single sign-on (SSO) portal. Due to their complexity, remote access solutions may be a bigger security risk than they’re worth, so migrating to secure cloud-based or hosted options is a useful alternative to providing remote access.
- Patch and update: software has bugs, and attackers know this. Patching software is essential to limiting the chance of those bugs being exploited. Systems that are no longer supported should be replaced whenever possible; if not possible additional controls like MFA, network segmentation, and monitoring are needed.
- Access controls: the username and password combo is, sadly, here to stay. Bad password habits like sharing passwords, reusing passwords across sites, or single-factor authentication for critical systems only make attackers’ lives easier. Review your password policy to ensure it requires unique credentials and disallows sharing, deploy a password manager, and implement MFA wherever possible.
Reduce your cyber risk
All organizations have cyber risks, whether you’re a professional services firm, critical infrastructure operator, or other business. The threat landscape continues to evolve, and your response to cyber threats must evolve with it. Following the tips above as well as the guidance in the Coalition Cybersecurity Checklist can help you do just that.
For specific questions or additional details, you can always reach us at firstname.lastname@example.org. We are happy to set up time to discuss how to improve your security and reduce your cyber risk.