An unsophisticated attack using TeamViewer nearly poisoned the 14,000 residents of Oldsmar. Here are the takeaways cyber defenders can learn from.

In February this year, a hacker remotely accessed a water treatment system and briefly increased the amount of sodium hydroxide (lye) by 100 times in order to harm residents.

Up until that attack in Oldsmar, Florida, most cybersecurity incidents had involved intellectual property, financial and reputation, but not reckless endangerment via operational infrastructure such as public utilities.

By leveraging the Microsoft TeamViewer app, an unsophisticated attacker has thereby exposed the rising threat of cyberattacks on critical and operational infrastructure.

Over the past year, we are seeing organizations place more emphasis on threat detection for critical infrastructure services. Cybersecurity spending in this area is expected to surpass US$105bn this year, with the Asia Pacific region (APAC) set for the highest growth in spending. This is largely attributed to the increased number of remote workers and subsequent need for remote applications such as TeamViewer due to the pandemic, which necessitate balancing IT cybersecurity spend with ICS (industrial control systems) spend.

If an unsophisticated attacker with a few mouse clicks can start the process of poisoning our water supply, what worse can we expect from highly-skilled threat actors?

Five ICS considerations

The Oldsmar attack highlights the vulnerable state of far too many ICS installations. To put a framework around securing water treatment facilities, we need to focus on the process and start asking the right questions.

How is the water filtrated? What operational technology (OT) processes are being used? What are the risks posed to those processes? Working through the operational workflow can help identify the ‘crown jewels’ to prioritize protection of.

Overall, here are five steps to consider when protecting critical infrastructure from attack:

  1. Secure the remote access route
    Many CISOs are reportedly sacrificing security to facilitate remote work. This is a worrying sign,  and deep changes need to be made to ensure that remote-working remains sustainable and secure. This is especially pertinent for ICS networks since the process and controls for remote access is typically less mature than enterprise networks, as with the case of the Oldsmar incident.

    Best practices necessary to secure remote access—such as incorporating a virtual private network (VPN) with multifactor authentication (MFA), endpoint protection, good password hygiene, network firewalls, and most importantly, continuous monitoring of remote activity— were not implemented in the Oldsmar facility.

    Only with the right tools in place can security teams quickly identify the kind of activity used in the attack before a major disruption occurs.
  2. Inventory all assets
    It is important to inventory assets using passive traffic monitoring technology for increased visibility. This will help augment the cybersecurity posture of critical infrastructure operators in APAC, where few have full or even partial visibility of their OT assets.

    Taking, and continuously updating, an inventory of all network assets enables security teams to achieve real-time network visibility into their devices, connections, communications, and protocols, to better monitor, identify, and troubleshoot networking issues that threaten reliability.
  3. Identify and patch vulnerabilities
    Frustratingly, most devices are not designed for the level of security required in a critical infrastructure environment. Many devices lack basic authentication, encryption and other security standards applied in IT. Hackers all too often exploit well-known, but unpatched, vulnerabilities.

    Using end-of-life software such as the Windows 7 systems found on Oldsmar’s network, is risky. All too often we see legacy, unsupported operating systems implemented, for which more than 34% of vulnerabilities do not have vendor fixes. APAC organizations can leverage on tools such as the National Vulnerability Database (NVD) in the US, to determine the risk profile of devices, and prioritize and recommend firmware updates as required.
  4. Monitor for anomalies in processes and controls
    It is not enough to only monitor for malware in ICS environments. Understanding and monitoring the actual industrial process tags and variables enables plant managers to identify anomalies that may impact production. Some may be a result of cyberattacks or from misconfigurations or equipment in need of service.

    Automated network anomaly detection uses AI to run detection against the real parameters used to control industrial processes. This helps with cyber protection and to optimize the operations. For example, if a pump is rated to spin at 100 rotations per minute, it is most likely unsafe to run it above that. We cannot necessarily rely on human intervention to prevent this limit from being exceeded. Hence, engineers program the human-machine-interface to prevent operators from entering invalid inputs or introducing unsafe conditions.

    By monitoring processes, security teams can significantly reduce risk, negligence or harm from compromised insiders. In the case of Oldsmar, the threat actor compromised the graphic user interface to increase the levels of sodium hydroxide added to the water. Had anomaly detection been applied, the attack would have been quickly detected and blocked without issue.
  5. Integrate ICS and IT network security
    Operational technology creates an understanding of how to meet production targets and keep the plant running safely, while IT can address networking and cyber issues unfamiliar to ICS staff. Working in tandem, operational resiliency increases every time.

    Unfortunately, security is still too heavily focused on IT, and not enough on OT. This undermines the entire security posture of the organization. It is time to improve collaboration between the two processes to reduce blind spots and risks around increasingly-connected ICS. This will become crucial as convergence between IT and OT is ramped up in APAC.

APAC’s critical infrastructure and industrial facilities are essential for keeping residents safe and driving economic recovery, but that fact makes them even bigger targets for threat actors and nation-state attackers.

We need to heed the threat unveiled by Oldsmar and become better equipped and create a roadmap towards operational resiliency.