Water Treatment Hack Prompts Warning From CISAAgency Offers Critical Infrastructure Security Reminders
Following the hacking of a Florida water treatment plant, the Cybersecurity and Infrastructure Security Agency is warning the operators of other plants to be on the lookout for hackers who exploit remote access software and outdated operating systems - and to take risk mitigation steps. But the advice applies to other organizations as well, some security experts say.
The investigation into the breach of the water treatment facility in Oldsmar, Florida, continues. Local officials say a hacker gained remote access to a system to increase the amount of lye in the city's water system, but the hack was immediately thwarted. The plant's employees reportedly used TeamViewer for remote access (see: Florida City's Water Hack: Poor IT Security Laid Bare).
Computers at the Florida plant reportedly were network-connected to the supervisory control and data acquisition - aka SCADA - system and were running outdated 32-bit versions of Windows 7.
In addition to the CISA alert, WaterISAC, a security information source for water supply and wastewater facilities, notes in an alert to its members that while the incident in Florida is concerning, it appears that the hack was not part of a sophisticated operation.
"The incident seems to be more opportunistic than sophisticated. It is largely believed that a sophisticated attack would have resulted in a loss of view, loss of control and likely a loss of availability to the impacted system, not a seeming hit-and-run," the WaterISAC alert notes.
OT Security Concerns
CISA warns that water treatment facilities that use unsecured or poorly configured remote access tools and outdated operating systems risk hacker attacks targeting their industrial control systems and SCADA systems, which form the core of the operational technology infrastructure used to run and secure these plants.
"The FBI, the Cybersecurity and Infrastructure Security Agency, the Environmental Protection Agency, and the Multi-State Information Sharing and Analysis Center have observed cybercriminals targeting and exploiting desktop sharing software and computer networks running operating systems with end-of-life status to gain unauthorized access to systems," the alert notes.
Remote access and desktop sharing tools, such as TeamViewer, have previously been exploited through social engineering attacks and phishing campaigns in which user credentials are stolen, CISA notes. Malicious insiders can also exploit this software, the agency says.
"TeamViewer allows cyber actors to exercise remote control over computer systems and drop files onto victim computers, making it functionally similar to remote access Trojans," CISA says. "TeamViewer’s legitimate use, however, makes anomalous activity less suspicious to end users and system administrators compared to RATs."
As a countermeasure, CISA advises users to configure TeamViewer services to use the "manual start" function so that the application and associated background services are stopped when not in use. Users should also require remote workers to receive confirmation from the host to gain any access other than "view only," CISA says. This will help ensure that if an unauthorized party is able to connect through TeamViewer, they will only see a locked screen and will not have keyboard control.
Lessons for Others
The advice CISA offers to water treatment plants also should be applied by a wide variety of other organizations, security experts say.
"Upgrading to an operating system newer than Windows 7 and securing TeamViewer are good recommendations not only for other organizations with ICS and SCADA but also for any organization in any industry that uses them," says Paul Prudhomme, a former analyst with the U.S. Department of Defense and now cyberthreat intelligence adviser at security firm IntSights.
"Threat actors could exploit the lack of continued security support for Windows 7 and poorly secured TeamViewer installations in attacks on conventional IT systems, not just ICS and SCADA."
Intel 471 Report
On Friday, security firm Intel 471 published a report noting that within the last year, researchers have found hacking groups selling access to SCADA systems on darknet markets.
Intel 471 researchers found that an Iranian hacker attempted to sell access to a "hydroelectric power plant" in Florida in May 2020. The hackers claimed to have gained access through a compromised virtual network tool.
The researchers note that there is no known connection between the attempts by the Iranian hacker to sell access in May 2020 and the security incident at the Florida treatment plant. But they say that ICS and SCADA systems are increasingly vulnerable to attacks.
"Although threat actors do not often openly discuss this type of activity, there are those who seek to target ICS or SCADA systems in order to build credibility in the cybercriminal underground," Intel 471 notes. "Actors with even a rudimentary understanding of how to use Shodan, a search engine designed to find internet-connected systems, or where to find stolen or default credentials can obtain access to industrial control systems that could lead to incidents like what happened in Oldsmar, Florida."
The breach of the water facility plant, coupled with other hacking incidents, has also raised the issue of expanding the role of CISA in helping safeguard critical infrastructure.
On Wednesday, the House Homeland Security Committee heard testimony from former CISA Director Christopher Krebs, who noted that while the agency can now conduct more threat hunting missions within federal networks, it needs additional resources to address security issues elsewhere.
Excited to testify today w/ @DAlperovitch @CyAlliancePrez and Sue Gordon in front of @HomelandDems and @HomelandGOP. Here's a quick op-ed on my testimony. Key takeaways: we need to strengthen @CISAgov & in the private sector, leadership matters. https://t.co/gcgUYKwPR0— Chris Krebs (@C_C_Krebs) February 10, 2021
"Unfortunately, that water treatment facility [that was hacked] is the rule rather than the exception," Krebs testified, according to The Hill. "When an organization is struggling to make payroll and to keep systems on a generation of technology created in the last decade, even the basics in cybersecurity often are out of reach. Even then, the purpose of information technology is to make things easier to manage, so it is almost counterintuitive that managing a system over the internet might be a bad thing."