I should start by saying that I don’t typically watch small town press conferences about municipal water treatment operations. However, while scrolling through my news feed this week, I stumbled on a press conference that caught my attention, and I watched it in full.
The video was from Oldsmar, Florida, where the sheriff, mayor, and public works manager addressed an unauthorized intrusion into their water treatment facility.
Unfortunately, intrusions like this aren’t uncommon. But I was impressed by the transparency into the inner-workings of the plant, how the intrusion happened, and the steps that were taken after the fact.
In the video below, the sheriff summarizes the incident. A malicious actor remotely accessed a computer system responsible for distributing the chemicals that treat the water and other plant operations. An operator was monitoring the system. Although he noticed someone remotely accessing the system via TeamViewer, he quickly discounted his initial suspicions — several employees normally access the machine through a remote connection.
Later that day, it happened again. Only this time, the malicious actor took control and began clicking into various applications and settings to make configuration changes. The operator’s suspicion was confirmed, when the malicious actor changed the levels of sodium hydroxide - normally used to alter water alkalinity (and the primary ingredient in drain cleaner) - from 100 parts per million to 11,100 parts to million. The remote connection then quickly ended.
Luckily, the plant operator saw the change, immediately recognized the danger, and changed the sodium hydroxide levels back to normal. Had the change gone unnoticed, Oldsmar citizens could have been exposed to water that made them sick at best, fatal at worst.
It’s important to note that the mayor assured the public that, even if the operator hadn’t been watching live, redundancies were in place to alert the plant about the incident. These efforts reduce the likelihood that the local population would have been affected.
The operator’s computer was accessible remotely via Team viewer, allowing remote access, support, and control of devices.
From the TeamViewer site:
“TeamViewer lets you remote in to computers or mobile devices located anywhere in the world and use them as though you were there. Plus, you can remotely connect to servers, commercial-grade machines, and IoT devices from anywhere, at any time through our secure global remote access network.”
There are many legitimate reasons to use software that enables remote connections — but it can also be used maliciously.
In this case, it appears that TeamViewer was sanctioned and allowed to be used on the plant operator’s system. But there are important questions beyond “is this software allowed?”:
And if TeamViewer was not sanctioned for use, would anyone know it was installed on this device?
These questions often go unanswered because organizations lack the visibility of their devices, the software installed on the devices, and whether the devices are misconfigured or vulnerable.
These questions are perhaps even more important with the rise in remote work. Attackers are leaning heavily on exploiting login credentials for commonly used remote access platforms. In 2020, ESET detected 29 billion attempted RDP attacks alone.
The first step in identifying avenues for hackers to conduct this type of intrusion is accounting for all devices, identifying what software has been installed, and determining what devices and software look like to the outside world.
And this is exactly where cybersecurity asset management helps.
Axonius defines cybersecurity asset management as the process of:
In this scenario, cybersecurity asset management could have been used to:
41 Madison Avenue, 37th Floor
New York, NY 10010
