For a little more than a decade, experts warned the United States utility infrastructure is vulnerable to cyber attack. The hack of a Florida water treatment plant discovered a few weeks ago has brought those warnings into stark reality, and offers lessons in how to fix the problems with relative ease.
Oldsmar, Florida is a small town of 5,300 households and 14,000 inhabitants. The hack involved accessing the chemical mix controls allowing the attackers to increase the level of lye to more than 100 times the usual amount.
Lye, or sodium hydroxide, is also deliberately added in very small amounts to drinking water to rid it of metals and reduce the acidity of the water. It also prevents corrosion in plumbing. So while this chemical has its justification, an increased concentration in the water can quickly lead to a dangerous situation. Lye is a caustic chemical often found used in drain cleaners. It can result in severe skin burns and even highly diluted it can cause blindness if it gets in the eyes.
According to all available information, the attackers gained access to the office through TeamViewer, a software primarily used for remote maintenance and support. The software has been on the market for many years and is used by many companies to give employees and service providers access for remote maintenance. The software, however, can bypass user firewalls, precisely the feature the hacker used for the attack.
It is too easy to blame TeamViewer, however. It is not designed or even meant to be a secure interface. How it was used shows the significant security gaps in infrastructure systems that should be checked and closed.
1. Outdated IT infrastructure
Utilities across the US are rife with outdated hardware and software. In the Florida case, the remote-maintenance software was installed on an old Windows 7, 32-bit operating system that had not been updated in several years. Microsoft stopped providing security updates for Windows 7 in January 2020, the 64-bit system provided significant security benefits over the 32.
Upon request, customers can contract with Microsoft to extend maintenance with Windows 7 Extended Security Updates. The utility did not have such a contract.
The lesson here is that outdated systems are vulnerable, but even if they are out of date, there are minimal actions that ensure security is updated.
2. Insecure passwords
Even if the systems were properly maintained, another lapse made the computer controlling the system, as well as the employee remote computers completely defenseless against hackers: A well-known and commonly used password. The hacker either guessed or illegally obtained the password and gained easy access to the PCs.
Password management is the most common flaw in a security protocol. Most users are reluctant to use more than one password; share simple, easily reproduced passwords they use; and rarely change a password unless they are hacked. Doing more than that for common applications like social media can be more annoying than critical, but in utility systems, it can be catastrophic. That was the case in Florida
Password manager software can overcome much of this problem. They can require longer, more complex passwords, hamper the use of shared passwords, require frequent changes and, eliminate the need to remember individual credentials.
3. Security awareness
The utility did some things right. As the attacker was fiddling with the chemicals mix an attentive employee stopped them cold before real damage was done.
On February 5, 2021, at around 1:30 p.m., the employee noticed the mouse pointer on a computer monitor was moving about the screen seemingly on its own, raised an alarm, and reversed the changes being done to the system as they happened.
System security is not a “one and done” effort. it requires constant vigilance.
4. Multi-level protection or emergency plan
Another positive: The utility had warning sensors that would have sounded alarms if the chemicals were out of whack and had 24 hours before any water reached customer taps. They also didn’t wait to announce the hack publicly, which helps the organization maintain trust in the community. So always have a pre-defined plan of what to do in case of an attack
But another negative: the ease with which the hackers access the system means they could have also disabled the alarm system.
Along with an emergency plan, it is crucial to have multiple layers of security in place. That includes firewalls, malware scanning, and up-to-date, short-term PKI certificates.
5. Security is your responsibility
The Oldsmar plant escaped the hack with little more than a black eye, for now, but it is clear that the utility expected Teamviewer to also provide security automatically. That’s the final lesson to be learned. The internet is a vast and largely unsecured environment. It was never designed with security in mind and very few companies provide secure technology Teamviewer was quick to distance themselves as the problem of the hack and responded with the following statement:
“Teamviewer is aware of the U.S. media reports of unauthorized remote access to the water treatment plant in Oldsmar. We are monitoring the situation very closely. However, Teamviewer has no indication that our software or platform has been compromised. As a global leader in connectivity solutions, we have the highest security measures in place and offer state-of-the-art authentication mechanisms. TeamViewer is of course ready to assist the authorities in their investigations, e.g. how the cyber criminals may have obtained login credentials that are exclusively set and encrypted on the device side. In general, TeamViewer condemns any abusive behavior on its platform.”
There may be security measures in the product, but if they aren’t used, it’s not the product’s fault.
It has been demonstrated, however, that many technology users either don’t know the security features exist, or they are advised to turn them off if it causes system performance to degrade. There is no evidence for either scenario currently but the FBI and the Secret Service are working to find answers. So far, no information is known about how many attackers were involved or who they are.
This should serve as a wake-up call to make it clear to authorities that cybercrime is a ubiquitous problem and needs to be taken seriously.
This article originally appeared on the German website IT-Wegweiser.