CISA Outlines IT Precautions After Florida Water Facility Attack
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published advisory AA21-042A regarding the Feb. 5 electronic intrusion into a Florida water treatment facility by an unknown attacker.
The attacker used TeamViewer software and attempted to change the water supply's chemical composition at the Oldsmar water treatment facility near Tampa, Fla., according to Pinellas County Sheriff Bob Gaultieri in a Reuters interview. TeamViewer is a remote desktop software program typically used by IT pros for remote device maintenance.
A technician at the facility observed changes being made on screen using the plant's supervisory control and data acquisition (SCADA) software. The attacker attempted to increase the levels of sodium hydroxide (lye) in the water, a caustic substance that's used to change water acidity, but the changes were reversed and it's said the public wasn't endangered.
Remote Sharing Apps and Windows 7
CISA's alert didn't offer specific details on the attack, although it offered plenty of advice for organizations running SCADA solutions and older software, including Windows 7.
The alert cautiously suggested that it was "possible that a desktop sharing software, such as TeamViewer, may have been used to gain unauthorized access to the system." The alert similarly stopped short of exactly saying that the use of the Windows 7 operating system by the plant's operators contributed to the attack, although it implied it through its descriptions. Windows 7 fell out of support last year, and is only still supported through Microsoft's Extended Security Update program.
IT departments sometimes take the view that if systems aren't exposed to the Internet, then they're secure. It's unclear from the alert's description whether the plant was running unpatched Windows 7, or if it mattered, since TeamViewer was used to gain access privileges.
In a Feb. 9 RSA Conference interview, Bryson Bort, founder and CEO at Scythe, gave the opinion that the attack principally involved TeamViewer, although the use of outdated software in industrial control systems is prevalent. He speculated that the attacker was an amateur since the attack happened during business hours and was visible on screen. The RSA Conference in May will have an "Innovation Sandbox" demo of industrial control system attacks.
A Massachusetts advisory to public water suppliers provided the detail that "all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed."
Despite the lack of specifics, CISA's alert suggested that the plant attack was an example of a trend where remote desktop solutions and older software are getting leveraged in attacks.
"The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency (EPA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have observed cyber criminals targeting and exploiting desktop sharing software and computer networks running operating systems with end of life status to gain unauthorized access to systems," the alert noted.
CISA offered the usual general advice of keeping software and anti-virus solutions up-to-date, using multifactor authentication identity verification and having "strong passwords to protect Remote Desktop Protocol (RDP) credentials." Systems that can't be updated should be isolated. Organizations should close unused RDP ports and log RDP login attempts.
The alert also had specific advice regarding the use of TeamViewer. The program should be configured to "'manual start,' so that the application and associated background services are stopped when not in use." Organizations should also use a "Block and Allow" list to limit TeamViewer use to people in the organization. It suggested other measures, such as using rotating passwords and randomly generated 10-character passwords for TeamViewer.
More details can be found in the alert, which also included advice on the physical security controls that should be used for chemicals in water-treatment plants.
SCADA systems are considered general targets these days, but Oldsmar may have been the first American water treatment plant attacked, or at least the first publicized, according to a blog post by Brian Kime, a senior analyst at the Forrester research and consulting firm.
Kime added the important detail, sourced to the Wall Street Journal, that the plant had already upgraded to another remote desktop application, but hadn't removed the older TeamViewer software from its network. Organizations should generally remove older software and hardware that's not in use, he noted.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.