On Monday, February 8, a press conference hosted by Pinellas County, Florida, sheriff Bob Gualtieri dropped an industrial cybersecurity bombshell that reverberated worldwide. Gualtieri, along with the mayor and city manager of Oldsmar (population 15,000), revealed that a hacker had infiltrated the Oldsmar water treatment system to change the city’s water supply levels of sodium hydroxide from 100 parts per million to 11,100 parts per million. Sodium hydroxide, also called lye, is a highly caustic chemical that is a key ingredient in liquid drain cleaners.
The hackers gained unauthorized access to an internal industrial control system (ICS), likely using stolen or lost credentials, via TeamViewer, a remote desktop application that allows users to log into systems from afar, a ubiquity across many organizations during the COVID-19 crisis. Gualtieri and the city officials offered only a few other details of the disturbing breach.
The attacker was caught in the act by a water utility employee who happened to see the cursor moving on the screen executing commands which were discovered hours later to be the malicious chemical composition changes. When the changes were discovered, the sodium hydroxide levels were restored to their original levels and no harm was done to the water supply. System checks and redundancies would have caught the deadly changes anyway, the officials maintained.
No one has yet determined whether the hacker was domestic or originated outside the United States. The FBI and the Secret Service are working on an investigation.
Attacker likely not a nation-state
As much as this hack resembles a similar incident last May in which Iranian state threat actors attempted to alter chlorine levels in a major attempted cyberattack against the Israeli water infrastructure, ICS cybersecurity experts say that the Oldsmar attack looks to be an amateur operation that’s likely a crime of opportunity.
“This incident did not seem to include any characteristics that indicate thorough planning and did not show the level of complexity we often observe from sophisticated actors such as nation-state sponsored groups,” Daniel Kapellmann Zafra, manager of analysis, Mandiant Threat Intelligence, tells CSO. “The attacker seemingly used a fairly common technique, accessing an internet-exposed human-machine interface (HMI), and performed modifications on the process that were unlikely to remain unnoticed.”
Lesley Carhart, principal threat analyst at industrial cybersecurity company Dragos, agrees. “They wanted to do something bad to that water utility, but they did something so drastic,” she tells CSO. “It probably would have gotten rapidly picked up. Smart state-style adversaries don’t make mistakes like that. They don’t want to get caught right away. It feels like a low-tier adversary who was either poking at something that looked like fun, or they just didn’t have a lot of aptitude in launching cyberattacks.”
A nation-state “probably would have taken out some of the monitors,” Matt Lampe, former CIO for Los Angeles Water and Power and now a partner in critical infrastructure cybersecurity advisory firm Fortium Partners, tells CSO. “If you think about it, Stuxnet was so effective, not only because it took over the machines, but it also took over the monitors. A more sophisticated attacker would have gone after some of those sensors, like the pH sensors, and made sure that they could show that those signals were normal, even though the pH changed radically,”
TeamViewer may have been a necessary evil
Many cybersecurity experts believe that the Oldsmar utility’s use of TeamViewer is a poor choice but perhaps a necessary evil. “Clearly, clearly the cybersecurity on that system was terrible. TeamViewer has years of acknowledgment of being a fairly insecure application. And it’s been known to be used as an attack surface multiple times,” Lampe said.
Carhart defends the choice of TeamViewer given its low cost and usefulness, an important factor for cash-strapped water utilities. “They’re doing things like using TeamViewer because they have no money and no people. It’s not because they don’t care about cybersecurity. It’s because there’s a pandemic going on and they have to have remote access.”
Ensuring that water utilities have enough funds to operate their systems with the latest and most secure technologies is a perpetual balancing act, according to Commissioner Maria S. Bocanegra of the Illinois Commerce Commission and Chair of the Water Committee at the National Association of Regulatory Utility Commissioners. “From the regulatory standpoint, we’re constantly asking ourselves who pays for those upgrades and how can we ensure that folks have access to safe, reliable drinking water but making sure that it’s affordable,” she says.
Questions of scope and time frame need answers
In the meantime, the Oldsmar utility should be searching for answers to some basic questions in the aftermath of the attack. “What was the scope of what they did? What did they tamper with? Was this a momentary thing, or have they been there for weeks? Those are the kind of questions that they need to have answered immediately because that kind of scoping things down is going to help them identify how much remediation they need to do now,” Carhart says.
Mandiant’s Zafra echoes her assessment and says that the utility should search for other vulnerabilities, too. “The first step should be to identify any other assets that the organization has exposed to the internet and remove them from public networks or implement alternative mitigations to account for similar attacks in the future.” In fact, all water utilities should “routinely use scanners to identify internet-connected assets within their organizations,” Zafra says. “In the case they have to expose these assets to external networks, they should prioritize hardening externally facing systems and securing remote access methods with configurations that use multi-factor authentication.”
Water utilities need security assessments and training
To posture themselves more securely for the future, water utilities, which are mostly small and lacking in cybersecurity expertise, should pull in outside experts for overall security assessments that help spot internet exposures and other cybersecurity vulnerabilities. “I think a lot of these things can be significantly improved at a relatively low cost,” Lampe says. “You just need to have somebody take a look at it and say, these are some things you could do to improve your risk posture significantly.”
“We need to ensure that our people are fully trained and ready to identify and prevent or remediate stuff like this when it does happen,” Illinois’ Bocanegra says.
Michael Arceneaux, Managing Director of the Water Information Sharing and Analysis Center (WaterISAC), also stresses training importance. “There needs to be more security training across the sector, not just for those who get to fly to a conference,” he tells CSO.
WaterISAC’s Cybersecurity Analyst Jennifer Lyn Walker hopes the Oldsmar incident motivates water utilities to seek out training, including freely available training from DHS’s Cybersecurity and Infrastructure Security Agency (CISA).
CISA is stretched thin, Arceneaux says, and is staffed to conduct only a handful of trainings every year. “They do a wonderful job, and we appreciate them very much, but it would be great if Congress gave them a lot more money.”
Copyright © 2021 IDG Communications, Inc.