Disaster almost struck on Friday, February 5, when an unidentified outsider attempted to drastically increase the sodium hydroxide levels in the water supply of the city of Oldsmar, Florida. The impact could have been tragic as they attempted to raise the setting from 100 parts per million to 11,100 parts per million. Normally sodium hydroxide is harmless when used to regulate PH levels in drinking water, but at that high of a level it could have caused severe damage to anyone who consumed it. While this doesn’t sound like a typical data breach that could have been prevented with cybersecurity best practices, there are definitely cyber controls that could have helped avoid the attempt. Below we dig into the cybersecurity vulnerabilities we identified from the situation and our mitigation recommendations your business can learn from.
How could this have happened?
This is an active investigation that’s being analyzed to figure out what happened and identify the outsider. Reports following the incident indicate a significant number of basic cyber mistakes were made that left the city’s water supply vulnerable to anyone with an internet connection. Cyber risk can be substantially reduced by implementing basic technology controls and following good cyber hygiene. However, many businesses struggle to stay on top of cybersecurity, often because of a lack of manpower, lack of funding, or a lack of knowledge and expertise.
Let’s look at five cybersecurity vulnerabilities the water utility had that could possibly made the attempt possible. Applying these lessons to your business will increase your protection from cyber criminals.
Vulnerability #1: Sensitive SCADA equipment was exposed directly to the internet.
Initial reports indicate the outsiders utilized a common remote access software tool named TeamViewer to access the supervisory control and data acquisition (SCADA) control system. TeamViewer enables a user to remotely view a desktop’s screen and control the mouse to move and click. The use of tools like TeamViewer has substantial benefits, such as giving personnel the ability to perform system status checks remotely and responding to alarms or alerts. However, the risk of using remote access tools like TeamViewer can be massive.
Recommended Mitigation
Industrial Control Systems (ICS) and SCADA equipment should be kept isolated and ‘air gapped’ from the rest of the computer network. If ICS or SCADA systems are going to be exposed to the internet, additional controls must be implemented to mitigate the risk. If remote access software is going to be utilized, it must leverage a one-way unidirectional approach, meaning the user is limited to view only and cannot click or take action on the remote device.
Vulnerability #2: A firewall was not in place to protect sensitive SCADA equipment.
Connecting any technology to the internet without a firewall is a recipe for disaster. Publicly accessible tools and websites like Shodan are constantly searching and probing for unprotected systems connected to the internet. Once hackers identify an unprotected computer, they then begin probing with known vulnerabilities to take control of the device and wreak havoc.
Recommended Mitigation
Implement a firewall to protect all internet-connected devices and keep the firewall updated and current. Logging should be enabled on the firewall to watch for intrusion attempts.
Vulnerability #3: A single common password was shared by all computers for remote access, and no additional authentication was required.
The reuse of passwords is a major issue in cybersecurity. It is common for passwords to be compromised in a data breach, and then that user ID and password combination is shared by hackers on the dark web. Hackers will then use these compromised credentials for ‘credential stuffing’ attacks, where hackers use scripts to try these credentials on thousands of web sites – banking, shopping, etc. The use of unique passwords mitigates these risks but unfortunately many users will use the same password on multiple sites. In this case, a single password was the only thing required to access TeamViewer and control the water supply equipment.
Recommended Mitigation
Create unique passwords and utilize a password manager to help track your passwords. For sensitive access, like SCADA equipment or TeamViewer, utilize multi-factor authentication (MFA) to require additional levels of authentication beyond just a password.
Vulnerability #4: All computers used by water plant personnel were connected to each other, including the SCADA system.
If all computers are connected to the same network, and any node on that network is compromised, then the entire network is compromised. Specific attention should be paid to dividing the network into separate secure segments, thus providing an additional level of protection if one computer is attacked.
Recommended Mitigation
Sensitive pieces of technology, like SCADA and ICS, should be walled off from the remainder of the network and isolated.
Vulnerability #5: The technology was running on an outdated 32-bit version of the Windows 7 operating system.
Windows 7 is an end of life operating system that is vulnerable to attack (unless the customer purchases an Extended Security Update (ESU) plan. Microsoft ended support for Windows 7 in January 2020. Accordingly, Microsoft is no longer producing security updates for Windows 7 while it contains many well-known vulnerabilities that hackers are able to exploit.
Recommended Mitigation
Use up-to-date versions of operating systems, such as Windows 10, and keep them current by applying the last updates. If a system cannot be updated to a modern operating system, it must be isolated from the internet and the rest of the network.
Understanding Your Cyber Risk
Businesses must ensure that appropriate cyber controls have been implemented through their enterprises, including both IT and operations technology (OT), like ICS and SCADA systems. If this water district had performed a basic cybersecurity audit or cyber risk assessment, the five vulnerabilities we’ve highlighted in this blog post would have been flagged. Then a remediation plan should have been created to implement these basic cyber controls over a period of time. Lack of awareness of cyber risks and controls is no longer acceptable in today’s world. The significance of the risk should link directly to the investment made to mitigate the risk.
Once cyber controls are implemented and operating effectively, then it is a good idea to perform quarterly vulnerability scans to identify potential weaknesses and out of date software. Periodic penetration tests, where a skilled white hat hacker attempts to infiltrate your systems, is a great idea to test your defenses.
Whether you’re looking for supplemental cybersecurity expertise to add to your team, or technology advisors to take care of it all for you, Anders Technology can help you implement cybersecurity best practices to protect you and your organization from evolving threats. Contact an Anders advisor below to see how we can help you mitigate security risk and defend against a costly cyberattack.