Following news that the FBI and the Secret Service are investigating last week's cyberattack on a Florida water treatment plant, the former is warning companies against using outdated computer setups and evaluate how remote access software is deployed, something that could potentially leave the door open for hackers.
A Reuters report on Monday confirmed that the attackers that compromised a water treatment plant in Oldsmar, a city just north of Tampa Bay, last Friday did so after remotely gaining access to TeamViewer, desktop sharing software the utility wasn't using but still had installed on its machines.
A cybersecurity advisory via the Massachusetts Department of Environmental Protection issued to public water suppliers has been key to learning more about the security setup at the water plant. The advisory claims all of the computers at the Oldsmar plant were connected to the utility's SCADA controls and used a 32-bit version of Windows 7. 32-bit versions of Windows are substantially less secure than 64-bit versions; data execution protection, kernel patch protection, and driver signing are all less robust on 32-bit versions. On top of that, all the machines used and shared the same password for remote access; none of them used a firewall.
The plant has since removed TeamViewer from its systems.
“The FBI has observed corrupt insiders and external cyber actors using desktop sharing software to victimize targets in a range of organizations, including those in the critical infrastructure sectors," the FBI notice, issued Tuesday, read.
While the FBI acknowledged that desktop sharing software like TeamViewer is legitimate, it's also been a popular tool used by attackers for phishing campaigns, social engineering attacks, and in insider threat scenarios. As the notification points out, software like TeamViewer can give an attacker the keys to a system, allow them to move across a network, inject code, drop files onto a machine, protect malware from being discovered, obscure their activity and perform wire transfers.
Windows 7, which Microsoft ended support in January 2020, had a role in the Oldsmar water hack as well. The FBI reiterated this week that attackers prioritize finding victims running older Windows systems. Vulnerabilities taking advantage of Remote Desktop Protocol, or RDP, continue to be an easy way for hackers to carry out attacks as well.
To prevent incidents like what happened in Oldsmar last week from happening to them, the FBI is encouraging organizations exercise caution and implement the following best practices:
- Use multi-factor authentication;
- Use strong passwords to protect Remote Desktop Protocol (RDP) credentials;
- Ensure anti-virus, spam filters, and firewalls are up to date, properly configured, and secure;
- Audit network configurations and isolate computer systems that cannot be updated;
- Audit your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts;
- Audit logs for all remote connection protocols;
- Train users to identify and report attempts at social engineering;
- Identify and suspend access of users exhibiting unusual activity;
- Keep software updated.
The Massachusetts advisory also includes some helpful tips, including restricting remote connections to supervisory control and data acquisition (SCADA) systems, installing a firewall software appliance with logging, and installing a VPN.
While the aforementioned tips are good guidance – and a nice starting point for organizations who may not have the most robust security - as we wrote on Monday, they’re not always easily achievable by small cities and towns that lack the funding and staff to properly secure public infrastructure.
We learned earlier this week that all of Oldsmar's cybersecurity services, including those in place at the water treatment plant, are managed by one man, City Manager Al Braithwaite.
That’s a lot of responsibility to shoulder and apparently the case at many water utilities.
Research published in the Journal of Environmental Engineering (.PDF) in 2020 confirms that over the last few years there's been an increase in the "frequency, diversity, and complexity of cyberthreats to the water sector." The research looked at fifteen incidents and highlighted the fact that things could actually be worse than they sound. "Many cybersecurity incidents either go undetected, and consequently unreported," the research claims, because it may "jeopardize the victims reputation, customers trust, and, consequently, revenues."
“Most industrial sectors, and WWS in particular, now are embracing the digital age, but still lack dedicated cybersecurity specialists to provide customized security guidelines, secure systems, and train employees,” the research reads.
For many facilities, the FBI’s notice won't be a cure all but an all-too-present-reminder of the work that needs to be done at water utilities.
