I should start by saying that I don’t typically watch small town press conferences about municipal water treatment operations. However, while scrolling through my news feed this week, I stumbled on a press conference that caught my attention, and I watched it in full.
The video was from Oldsmar, Florida, where the sheriff, mayor, and public works manager addressed an unauthorized intrusion into their water treatment facility.
Unfortunately, intrusions like this aren’t uncommon. But I was impressed by the transparency into the inner-workings of the plant, how the intrusion happened, and the steps that were taken after the fact.
The Oldsmar Water Hack
In the video below, the sheriff summarizes the incident. A malicious actor remotely accessed a computer system responsible for distributing the chemicals that treat the water and other plant operations. An operator was monitoring the system. Although he noticed someone remotely accessing the system via TeamViewer, he quickly discounted his initial suspicions — several employees normally access the machine through a remote connection.
Later that day, it happened again. Only this time, the malicious actor took control and began clicking into various applications and settings to make configuration changes. The operator’s suspicion was confirmed, when the malicious actor changed the levels of sodium hydroxide - normally used to alter water alkalinity (and the primary ingredient in drain cleaner) - from 100 parts per million to 11,100 parts to million. The remote connection then quickly ended.
Luckily, the plant operator saw the change, immediately recognized the danger, and changed the sodium hydroxide levels back to normal. Had the change gone unnoticed, Oldsmar citizens could have been exposed to water that made them sick at best, fatal at worst.
It’s important to note that the mayor assured the public that, even if the operator hadn’t been watching live, redundancies were in place to alert the plant about the incident. These efforts reduce the likelihood that the local population would have been affected.
How Did the Intrusion Happen?
The operator’s computer was accessible remotely via Team viewer, allowing remote access, support, and control of devices.
From the TeamViewer site:
“TeamViewer lets you remote in to computers or mobile devices located anywhere in the world and use them as though you were there. Plus, you can remotely connect to servers, commercial-grade machines, and IoT devices from anywhere, at any time through our secure global remote access network.”
There are many legitimate reasons to use software that enables remote connections — but it can also be used maliciously.
In this case, it appears that TeamViewer was sanctioned and allowed to be used on the plant operator’s system. But there are important questions beyond “is this software allowed?”:
- Was TeamViewer configured properly?
- Did the machine have known and remotely exploitable vulnerabilities?
- Were there behavioral anomalies that could have been detected prior to an outsider gaining access?
And if TeamViewer was not sanctioned for use, would anyone know it was installed on this device?
These questions often go unanswered because organizations lack the visibility of their devices, the software installed on the devices, and whether the devices are misconfigured or vulnerable.
These questions are perhaps even more important with the rise in remote work. Attackers are leaning heavily on exploiting login credentials for commonly used remote access platforms. In 2020, ESET detected 29 billion attempted RDP attacks alone.
How Can Cybersecurity Asset Management Help?
The first step in identifying avenues for hackers to conduct this type of intrusion is accounting for all devices, identifying what software has been installed, and determining what devices and software look like to the outside world.
And this is exactly where cybersecurity asset management helps.
Axonius defines cybersecurity asset management as the process of:
- Gathering data from any source that provides detailed information about assets
- Correlating that data to generate a comprehensive view of every asset and what's on it
- Continually validating every asset’s adherence to the overall security policy
- Creating automatic, triggered actions whenever an asset deviates from that security policy
In this scenario, cybersecurity asset management could have been used to:
- Find all installed software software on devices
- Are there other devices with TeamViewer? Is their TeamViewer open to the internet, misconfigured, or vulnerable?
- Find unsanctioned software installed on devices
- Is there any unauthorized software installed on the devices across the plant?
- Accelerate the incident response investigation
- Post-intrusion, what can we find out about what happened? Did this device have certain security agents at the time of the alert? Did it have any vulnerable software related to the alert? Which user(s) were associated with the device at the time of the alert?