On Friday 5th February 2021, a hacker used a common IT remote access application ‘Team Viewer’ to take control of a workstation at the water treatment plant in Oldsmar, Florida. During this cyber incident, a remote agent took control of the water process and modified the level of sodium hydroxide from 100 parts per million to 11,100 parts per million.
To be clear, there are several redundancies within a water process where chemical levels are checked before the product is released into circulation. Despite these additional controls there have been instances where human life has been put at risk with contaminated water being released, an example here in the UK was at Camelford.
Cars have air bags, ABS brake systems, air bags, collision warning systems, yet we still have fatalities. Isn’t the answer to simply drive safely?
During a press conference held on the 8th February Sheriff Bob Gualtieri, Mayor Eric Seidel and City Manager Al Braithwaite were all confident that other systems and alarms would have caught the dangerously high sodium hydroxide level. Luckily, this did not need to be proven, on this occasion as there was an angel on guard, an operator on site that caught this change happening in real time on the remotely accessible terminal.
Sheriff Gualtieri said “At first the operator didn’t think much of it because it’s normal for his supervisors to use the remote access feature to monitor his computer screen at times. However, around 1:30 p.m. someone again remotely accessed the computer system, and the operator observed the mouse moving around on the screen to access various systems that control the water being treated”
During the second intrusion, which lasted three to five minutes, the intruder changed the level of sodium hydroxide in the water from 100 parts per million to 11,100 parts per million, “a significant and potentially dangerous increase.”
Despite the assurances given by the three to the press, you have only got to observe their body language and question some of the vague responses to see they all knew this was a really close call.
Officials at the plant said they have since disabled the remote access system and plan to make secure upgrades to additional systems.
Things that make you go Hmmmm…
While investigations are ongoing with local and federal law enforcement, I can’t but help switching my thought process into penetration testing mode. A quick scan of Shodan (a search engine like google for internet connected devices), shows 7300+ plus devices accessible for Team Viewer, hone your search a little deeper and you can quickly focus onto a geographical area and undertake your research on your selected target.
By the way, this same search engine works just as well for Industrial protocols.
Moving on, a quick search on another sites for leaked credentials and $2 later, you can buy a COMBO collection of breach data with 3.27B leaked credentials which has 13 entries for the Florida treatment plant.
Whilst its possible this was a sophisticated state sponsored cyber-attack against US critical national Infrastructure, it is also just as likely, this was opportunistic hack that was easily unavoidable using breached or weak credentials.
The truth will eventually come out and lessons will be learnt.
There are so many things wrong with the Oldsmar incident to cover off in this article. I wrote back in March about the ‘Global Remote Working Trends’ and later in July regarding ‘The Evolution of Secure Remote Access’. The first articles summarised the increase in remote working due to the global pandemic, the second explores safe ways of remote working and questions if the rush to work remotely has inadvertently placed business at risk.
We can see from early evidence that Oldsmar is running Windows 7, a legacy operating system that hasn’t been patched by Microsoft since January 2020. Legacy systems are not uncommon within OT, but they are a risk to manage.
Ounce of prevention is better that Pound of cure
Oldsmar is a compelling event for OT, it simply confirms what OT security professionals have been saying for years that Critical National Infrastructure is at risk, not only in the US but globally. We see ransomware finding its way into these critical systems and more recently state actors infecting the supply chain with the SolarWinds incident.
I’m sure for this one event there have been thousands which haven’t had time in the news, especially for non-regulated industries. As remote working becomes the new norm, I’m sure there will be more events in the future.
Checking your Six (Updated 03/03/21)
At SolutionsPT we monitor and track the ever-evolving cybersecurity threat landscape. This is why we would like to offer our customers free 10-day access to email breach data that may be traded on the dark web, as well as access to live Open-Source Network Intelligence (OSINT) for your domain.
This data can also be correlated with Active Directory to quickly and easily identify user accounts at risk and when passwords were last changed.
Our threat intelligence service Darkvision will be live from April and you can pre-register your interest today.
Finally we understand that not all endpoints in OT are fully up-to-date with the latest AV signatures, therefore, we would like to provide 30 days free trial of Blackberry Protect, a 100% Artificial intelligence endpoint protection suite which has up to 33 months predictive advantage over traditional signature based Anti-Virus.
Blackberry Protect is perfectly aligned to the needs of OT and can co-exist with other solutions to provide true defence in depth. Best of all, it never requires signatures ever! Update cycles are on average every 6 months, doesn’t require an always on internet connection, processes data locally and doesn’t require a reboot after installation.
Deployments can be passive in nature so having zero impact to your running system and application whitelisting and removable media control is included without additional licensing.