By Curtis Simpson, CISO
An attack on a Florida city’s water treatment system (Oldsmar) was not ingenious, nor were the protective measures that prevented its potentially fatal outcome. That is what makes this attack so worrying.
Because back in July 2020, NSA and CISA warned of the perfect storm that is exposed to critical operations that rely on operational technology (also known as OT). They strongly warned that the underlying technologies that enable critical operations in industries from energy and utilities to manufacturing are becoming massive and increasingly vulnerable every day, and that those attacked do not have the transparency required to do so effectively recognize and respond to attacks.
The other reminder for some, and wake-up call for others, issued by the same recommendation was that the threats themselves range from screenplay kids to nation-states. Open sources of information (e.g. Shodan) and penetration testing toolkits (e.g. Metasploit), used by practitioners and evil actors alike, make it easier than ever for any malicious actor to identify and identify critical OT vulnerabilities to take advantage of.
To sum up, a malicious actor gained unauthorized remote access to Oldsmar’s water treatment systems and increased the concentration of a chemical called sodium hydroxide, commonly known as caustic, by a factor of 100. This chemical can be fatal if ingested in large quantities.
The villain gained access through the TeamViewer solution, which was previously used to allow legitimate remote management of water systems. Most likely, the account credentials were simply compromised and not protected by an effective MFA function, token based or otherwise. The proverbial ticking time bomb.
So what actually stopped this attack and helped avoid a potentially fatal event? A person who happened to be staring at a screen. Yes that’s it.
Why is this so worrying?
When a utility or critical infrastructure provider is unable to systematically protect or quickly identify and approach the unauthorized or misuse of a remote access solution in the systems that are most important to operations and even downstream life how about a more complex attack by a nation-state actor? If the Florida story was about a bad actor exploiting one of the many vulnerabilities associated with invisible IoT devices or critical OT devices that existed for the time being, we’d probably have a very different conversation.
We are vulnerable, we are under attack, but we are not yet fast enough to have a full view of our critical OT environments and our integrated, unmanaged devices that are at risk of exploitation or disruption with potentially significant impact.
We have already been warned by US intelligence agencies that have unprecedented insight into the attack surface of these environments and the range of attackers who are exploiting the attack surface to obtain their malicious results. We continue to see escalating examples of such attacks with the potential to destroy human lives, this is just the latest in a growing line of real-world examples that underscore the importance of securing not only remote access but critical systems as well IT categories (e.g. servers, PCs, tablets) are outside the traditional area.
More sophisticated villains are also likely to view this event as a reminder of the potential and ease of targeting such operations. Unfortunately, the ransom that could be asked if a bad actor could take full control of such a utility management system would likely be unprecedented – and they were just reminded of how easy it can be.
The threat is real, as is the opportunity to mitigate the underlying risks of exploitation, disruption, and even impact on human life.
What should critical OT surgeries take away from this incident?
Step one – ensure alignment. If your operation is critically dependent on operational technology and cybersecurity and OT / engineering functions and has not yet started aligning with a strategy and plan to create a basic understanding of risk and a prioritized game plan for risk mitigation, this should be the first step.
Because, until recently, the protection of OT environments and devices was rarely fully protected for cybersecurity, the visibility and contextual understanding of these environments by cybers has historically been severely limited. With the ubiquitous and growing threat of disruption to OT operations, it seems necessary to accelerate the closing of this transparency gap with modern solutions designed to understand non-traditional devices and manage the risks surrounding them.
Step two – review your tools. Modern technologies like Armis allow continuous, passive and contextual mapping and monitoring of these environments and their devices, eliminating the potential of our tools to cause business disruptions that we want to avoid. Context also means tracking the behavior of devices and their connections over time to make sure you understand when a device is behaving suspiciously or maliciously.
Step three – address the Edge. Let’s not lose sight of the basics either. Edge access remains critical and should always be tightly controlled, requires multiple elements of authentication to prove identity, and is continuously monitored for abnormal and potentially malicious activity. For those who just don’t need to take the time to evaluate and secure the various methods of remote access in their environment, this should be a top priority and a recurring activity in the future.
Many companies use such a strategy to protect themselves effectively against such attacks. This should remind us all that the risk is real, as is our chance to protect our operations and downstream consumers.
To learn more about how Armis can help you secure your OT environment, email me for our whitepaper [email protected]