Cyber doesn't go so swimmingly for Florida water company

What happened?

On Friday 5th February, a hacker tried to poison the water supply of Oldsmar, Florida, after gaining access to the water treatment control system. Through remote desktop software TeamViewer, the hacker took control of an employee’s computer at the water treatment plant and subsequently increased the amount of sodium hydroxide (lye) in the water to dangerous levels.

The consequences

The operator monitoring the system at the time of the cyber attack immediately noticed the increase of lye from 100 parts per million to 11,100 parts per million and reversed the change. This attack could have otherwise had very serious consequences to the population of Oldsmar. The treatment plant supplies water to around 15,000 residents as well as businesses in the area. Under normal circumstances, lye is a substance that is added to water to control the acidity. However, the substance is very corrosive, and can have serious health consequences if ingested. So thanks to the quick response of the keen-eyed operator at the treatment plant, the residents of Oldsmar, really did have a lucky escape!

How it happened

At the time of writing, no arrests have been made. Authorities cannot publicly describe if the attacker accessed TeamViewer using a zero-day vulnerability or by using a known one. It is unknown where the breach even originated or how many people were behind the attack: whether the attacker or attackers operated within the state of Florida, or from across the world. 

In the days following the intrusion, the treatment plant has uninstalled the software that enabled the hacker to gain access, and TeamViewer has asserted that there is no indication it was their platform that was compromised. It is suspected that the attacker took advantage of systems still using Windows 7, whose end-of-life date was early last year. This is plenty of time for vulnerabilities to be discovered, without any patches to be officially released for them. Still, whether the intrusion was carried out due to a weakness in TeamViewer, stolen credentials, a Windows 7 zero-day, or a combination of these factors, we must consider what steps to take to ensure all of these potential exposures are managed and reinforced.

How to prevent the incident from happening again, or happening to you

What prevented this intrusion from becoming life-threatening was the watchful eye and quick action of the operator. If the attacker had gotten their hands on the proper credentials, it's possible that the attack could have been carried out in the middle of the night. The use of remote software was already common in industrial plants before lockdowns to monitor performance, but with so many professionals working from home these days, it's especially imperative to (just one more time today) inspect what technology you use to enable remote work. Are your organisation's VPN servers hardened? Is multi-factor authentication enabled where possible? Is it really necessary to utilise screen-monitoring capabilities where you’re doing so? Are you and your colleagues running the latest versions of your communication platforms? What about the devices on your physical site? Do you even know what remote-access software is running on your systems, right now?

Asking such questions and being thorough in finding the answers is absolutely worth the cost, as any organisation that has been hit will tell you. Preventing yourself from being the next target and appearing on the news for all the wrong reasons is less painful and is cheaper than cleaning up the aftermath of an attack. Even then, it's not a one-time endeavour; no matter what sector you operate in, it is necessary to regularly perform audits, scan your network and hosts for any suspicious behaviour or vulnerabilities (provided that you know what would constitute as suspicious vs. normal in the first place), and so on and so forth. And if it turns out you need to, say, uninstall some remote desktop software, your pre-incident preparation will likely involve another round of security auditing if you have a rigorous change management plan. This is no small task.

The Industrial Cyber Security Ecosystem

There is no silver bullet for the problems related to the cyber security of Operational Technology (OT). There are some great solutions out there, and some which could be better. There are some amazing service providers out there who truly specialise in industrial cyber security, and others who are striving to become better in this emerging field.

We have an opportunity here to increase not only awareness but knowledge and skill. Cyber security experts, in general, have traditionally focused on IT-based cyber security. OT engineers, in general, have traditionally focused more on human safety, and not really touched cyber security.

Awen exists to reduce cyber risk and increase cyber resilience within the industrial sectors, giving value to both traditional IT-based cyber experts who are turning their attention to OT, and to OT engineers who are becoming concerned about their cyber security. Our two software products, Profile and Dot, are both about increasing awareness. Profile increases awareness about industry-focused cyber security policies and procedures. Dot increases awareness about the landscape of OT assets, and can deduce the vulnerabilities of those assets. This in turn, gives the organisation intelligence which is truly actionable. Both products are focused on the pre-incident space, and are useful in cyber risk assessments, cyber security audits, embedding security in the OT systems design and deployment stages, and more general OT change management. This is where our solutions fit in with the industrial cyber security ecosystem.

If this sounds great, and you would like to talk with us (guaranteed radical honesty, and no hard selling) then please contact us today.

This blog post was written by Awen industrial cyber software development specialists - Seren Corbett and Paige Pesigan.