Local officials said someone took over the TeamViewer system and dangerously increased the sparkling water in the town’s water.
Federal law enforcement agencies are now investigating a cyberattack at a water treatment facility in Oldsmar, FL, in which someone could remotely access systems and add dangerous amounts of chemicals to the town’s water supply.
On Monday, Bob Gualtieri, Sheriff of Pinellas County, announced at a press conference that he saw the mouse of an employee working at Oldsmar’s water treatment plant moving independently of him on Friday morning, but he didn’t think anything about it – the remote TeamViewer software to the systems by the people in the field with their own tools.
However, according to Gualtieri, it happened again that afternoon, and this time the person moving the mouse changed the soda water or sodium hydroxide levels from 100 parts per million to 11,100 parts per million. The chemical is used to help authorities manage PH levels in the town’s drinking water. But when sodium hydroxide is added to water at these levels, it can become dangerous even for humans to touch.
“This is clearly a significant and potentially dangerous increase. Sodium hydroxide is the main ingredient in liquid drain cleaners. It is also used in water treatment plants to control water acidity and remove metals from drinking water,” Gualtieri said.
SEE: Incident response policy (TechRepublic Premium)
Watching the hacker do this on his computer, the person immediately returned the levels to normal and called his supervisor, then called the police.
With Florida Senator Marco Rubio, the situation has now become national news. Asking the FBI she wrote on aid and Twitter that “should be addressed as a national security issue.”
Gualtieri and others working at the plant said there was never a danger because there were multiple systems in the treatment plant to ensure that such a change would not be applicable. Gualtieri noted that it will take about 24 hours for the chemical to enter the water stream, even if it is applied.
Echoes of previous attacks
However, this has raised concerns and references to similar attacks happening all over the world.
Many online referenced Russia’s 2015 attack on a Ukrainian power grid and another attack on Israel’s at least two water treatment plants last year.
Justin Fier, former national intelligence officer and cyber intelligence manager at the Darktrace cybersecurity firm, said the attack was “a clear reminder of the risks from the hyper-connected world we live in.”
“Analog ICS systems are either updated or powered by remote monitoring and control systems, which exasperates the enormous challenges facing defenders today. Governments around the world will definitely look at this event and examine their systems to see if they are similarly vulnerable,” Fier said. He noted that the media attention surrounding the attack could also be the target of those behind it.
“This time an amateur flick of a rogue mouse cursor has captured the preparers, but we see a sharp increase in sophisticated, sneaky attackers who go under the radar unnoticed. What will happen next time there is no flashing red light? Critical environments fail gracefully.”
The rise of distant instruments
Many cybersecurity experts said the transition to using remote tools such as TeamViewer was a result of the COVID-19 outbreak and a more general transition to digitization systems. However, this digitization came with negativities as seen in this cyber attack.
It’s also getting easier for attackers to select vulnerable targets from a hat using platforms like Shodan and others. Etay Maor, senior security strategy director at Cato Networks, said attacks like this have happened before both in the US and abroad, but the increased dependence on remote access and remote management systems has made it easier for the average hackers to do harm.
Maor shared a simple search he did on Shodan today for Remote FrameBuffer systems with no username or password. There were more than 6,300, of which about 900 in the US and about 1,500 in Sweden.
“Look at how many results I got from this very pure and simple search. I can make similar searches for certain protocols, software, hardware, etc. It is not an easy task to secure these systems, on the one hand you want easy administration and management – think of an emergency,” he said. Maor.
“However, these systems must be appropriately secured, use more than a username and password for authentication, and be constantly monitored for threats and breach attempts. Remote administration, like working remotely, is a really difficult task these days. It depends on productivity and efficiency. it may require a new way of thinking about how to connect, secure and manage all these systems while allowing them to
To show how easy it is for cyber attackers, Maor shared a screenshot of his research at Shodan, showing how easy it is to call and access various utility companies using such remote tools.
“Whatever happens, I am literally one click away from controlling this system,” said Maor.
Andrea Carcano, co-founder of Nozomi Networks, echoed these comments and drew attention to the relative lack of complexity in the attack, as it did not hide their visual presence to personnel following the aggressive water treatment operation.
Carcano added that the attacker did not know that such a major change would trigger automated systems and alerts, meaning the person did not have any background information about the system.
“Nevertheless, this phenomenon is important as it reflects the state of too many industrial control system installations, especially smaller ones with smaller budgets and where safety is often overlooked,” Carcano said.
“Remote access, when not designed specifically with security in mind, is often used by remote attackers to infiltrate an ICS network. In this very case, Oldsmar’s water treatment plant used an instance of TeamViewer. It is accessible from the Internet.”
Seyi Fabode, CEO of water distribution system monitoring company Varuna, explained that the water system industry has lost a significant amount of expertise as a generation of experts retires, and many treatment facilities are struggling to find people who can detect any abnormal changes. someone the hacker is trying to accomplish.
The need for updated technology brought its own problems due to the lack of cybersecurity capabilities.
“As new technology tools (IoT, new treatment methods, etc.) are brought to the industry, the industry does not have the expertise to detect such hacking activities,” says Fabode, adding that it is important for businesses to understand cybersecurity and also have systems to detect anomalies. . “These are water systems, not tech companies, and vendor partners should be technology experts and provide support.”
Public services as a target
Some cybersecurity experts cited the 2016 case in which the small Bowman Avenue Dam in Rye Brook, NY was targeted by Iranian hackers as part of a larger conspiracy.
Austin Berglas, former head of the FBI NY Cyber and currently manager at the BlueVoyant cybersecurity firm, was at the head of the investigation into the Bowman Avenue Dam case and said water supply facilities have long been targets for cyber attacks from both criminal and state-backed organizations.
“Water utilities rely on system control and data acquisition (SCADA) systems to manage the automated process or water distribution and treatment. Many of these industrial control systems are outdated, unpatched and ready for online review, leaving them incredibly vulnerable to compromise,” Berglas said.
“In addition, many ICS solutions are designed for environments that are not facing the Internet and therefore did not include certain basic security controls. This presents additional vulnerabilities as more and more operational technology environments allow access to ICS systems over the Internet,” Berglas added. Highlighting the vulnerability of certain critical infrastructures, when allowed ICS systems to be exposed to the Internet and not isolated.
Hundreds of cyberattacks on schools and hospitals throughout 2020 have raised concerns about the country’s ability to protect critical businesses.
But many cybersecurity experts said foreign governments, including the US, have spent years targeting public services for the damage that attacks can do.
Cerberus Sentinel Vice President Chris Clements announced last month that a utility company in Independence, MO was attacked by a cyberattack that closed payment portals for a month, causing residents to receive bills for 60 days of simultaneous use.
Clements and others like Vectra CEO Hitesh Sheth said utilities and other infrastructure need to go beyond spending money on the problem and implement tighter controls before it’s too late.
“Utilities, including power and water systems, have been prime targets of cyberattacks for years. There is a huge Russian cyber team focused on hacking the American energy infrastructure,” said Sheth.
“In the Oldsmar case, it’s too early to assign or blame why. However, we’ve seen enough breaches in the US power grid, water systems, and even nuclear power plants to conclude: protecting these critical facilities and improving their cyber defenses should be a much higher priority.”