Over roughly the past two years, a number of incidents have raised the specter of computer hacking being used to do direct physical damage to people. To date these incidents have centered on penetration of utility grids and use of unauthorized access to induce malfunctions in equipment that can cause dangerous issues. The Florida city of Oldsmar recently experienced what might be the biggest scare of this nature yet, as a hacker was able to obtain illicit access to the city’s water treatment plant via remote access software. The hacker attempted to poison the city’s water supply by adding a dangerous level of cleaning agent to it.
While the attempt was spotted and headed off by a plant operator before it could do any damage, it raises questions about how serious a threat this sort of terrorist or nation-state action could be in the future.
Water supply threatened by unknown parties
Oldsmar is a small city of about 15,000 that sits on the Tampa Bay between Tampa and Clearwater. As many industrial sites do, the city’s water treatment plant uses remote access software to allow higher-level employees and members of management to access the water supply system at any time.
The remote access software in this case, TeamViewer, is very commonly used. However, it had not been used at the Oldsmar water treatment plant in over six months. That was part of what tipped off a safety operator to the attempted attack. When the attacker increased the level of sodium hydroxide (lye) in the water supply to 11,100 parts per million (over 100x the normal level), the operator was able to quickly reverse the attack. A spokesperson for the treatment plant later said that additional safety precautions were in place; an automated shutoff system would have engaged upon detecting abnormal and dangerous chemical levels in the water supply even if the operator had not been present.
The general public of Oldsmar may have never been in any real danger, but the attack is nevertheless very concerning based simply on the attempt to do physical harm and how far the hackers were able to get. Officials told the media that they did not know how the attacker gained access to the water supply system, but they may have obtained a password to the outdated remote access system. TeamViewer said that it saw no suspicious activity on its end. Oldsmar officials said that they had no reason to believe current or former employees were involved but were conducting interviews of them as a precaution.
The current remote access product used to control the water supply, a Google Chrome extension, is not believed to be compromised. Officials said that the water treatment system does run on Windows 7, which reached its end of life in January 2020, but Dragos cybersecurity firm CEO Rob Lee told CNN that an operating system exploit is not believed to be involved in this case. Chris Krebs, former head of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, said that it was common for industrial equipment of this type to be running on outdated hardware and operating systems due to budget issues and legacy compatibility problems.
Mr. Andrea Carcano, co-founder of Nozomi Networks, felt that while this particular incident was unlikely to escalate it could serve as a precursor for similar attacks: “Based on the information available at this moment, this attack seems to lack any sophistication that could trigger more profound reactions. The fact that the perpetrator didn’t conceal his visual presence to the personnel monitoring the water treatment operation is the first signal that suggests the relatively low complexity of the attack. Furthermore, according to the reports of the incident, the attacker increased the levels of sodium hydroxide by a significant amount, typically monitored by automated systems, which likely suggests that the threat actor didn’t possess a specific background knowledge of the water treatment process … Nevertheless, this incident is important because it reflects the status of too many industrial control system (ICS) installations, especially those with smaller budgets and a smaller size, where security is often overlooked. Remote access, in particular, when not designed with security in mind, is often the beachhead used by remote attackers to infiltrate an ICS network.”
Remote access tools under increased scrutiny
Though the possibility remains that this was some sort of an inside job, the water supply hack highlights a common security issue: old software hanging around on networks and not being properly patched and updated.
Oldsmar was fortunate in that this particular remote access software had the attacker directly take over the desktop and mouse pointer of the station operator, who was able to observe the hacker scrolling through menus and adjusting the water chemical levels in real time from his normal station.
Other analysts from Dragos spoke to Wired and told the magazine that they had seen both TeamViewer and similar remote access software compromised in similar ways in the past. The tools are popular targets among hackers looking to gain access to industrial systems as they are often the only point that connects the organization’s regular internet-connected IT network to the plant equipment that is normally otherwise air-gapped from the outside world. These vulnerabilities can be discovered via search tools such as Shodan, but past incidents generally saw hackers either attempting to install ransomware or just engaging in relatively benign mischief. Recorded incidents of hackers attempting to weaponize an industrial site via takeover of “human-machine interfaces” are few and far between globally, let alone in the United States.
However, it’s also true that the federal law that covers situations such as these, the America’s Water Infrastructure Act of 2018, does not require water treatment plants to report remote access compromise unless there is some sort of tainting of the drinking water supply that makes it out to the public. These utilities are often underfunded, understaffed and running on old equipment; some do not even have operators on site monitoring water systems as the one at Oldsmar did. Issues are generally dealt with via remote access software, but that also creates a pathway in for attackers.
Grant Geyer, Chief Product Officer who heads the threat research team at Claroty, notes that while remote access is inherently problematic in this way it is also a virtual necessity for a water treatment facility as well as other types of utilities: “Industrial control system (ICS) vulnerability disclosures impacting the sector have increased significantly year-over-year. As noted in our Biannual ICS Risk & Vulnerability Report released a few days ago, the Claroty Research Team found that ICS vulnerabilities disclosed during the second half (2H) of 2020 increased by 54% from 2H 2019 and 63% from 2H 2018 in water and wastewater. Due to the long depreciation period of equipment in critical infrastructure environments, technology obsolescence and the accompanying security vulnerabilities is a common occurrence. Additionally, many water utilities are small entities and are under-resourced, making the challenge of developing a robust security program that much more challenging … The solution is not as simple as eliminating remote access to such high-stakes environments … The key is how remote access can be implemented securely, so that we can stop these attacks – which will inevitably continue to happen – before the damage is done.”
Chris Grove, technology evangelist for Nozomi Networks, sees the answer to this situation as being an increased scope of monitoring whenever third-party software is interacting with industrial control systems: “Typical cyber security monitoring would not have really helped in this case if the attacker came from an IP address in the neighborhood. Maybe, if the attacker was not located domestically. The firewall could have alarmed about the strange external connection. However, today its Teamviewer, tomorrow it’s an Android phone, the day after its SolarWinds or VMware. There are too many lives at stake to blanket trust all of the vendors to be safe and secure within their products, and combined with cyber safe products being abused and misused by attackers, it becomes clear that the monitoring needs to go wide and deep … Unfortunately most of today’s facilities are only protected a little bit by wide monitoring which doesn’t go deep into the industrial control protocols themselves. Any facility where human lives are at risk, particularly so many, should monitor the industrial control process using artificial intelligence and anomaly detection to monitor, alert and stop anomalies within the process that aren’t a part of regular operations.”