Investigation into the Oldsmar, Florida, water treatment system cybersabotage continues. There’s no word yet on attribution, and the intrusion looks more elementary than ever. CNN quotes the Pinellas County Sherrif as confirming that the attacker got in through TeamViewer. The utility was no longer using TeamViewer and hadn’t done so for about six months, but the software had been left on the utility’s network. And as the AP noted, apparently every employee shared the same TeamViewer password.
Massachusetts environmental authorities provide an advisory for water suppliers.
Understandably people far, far outside the range of the water treatment sabotage incident have been worried about the safety of their local water supply. A Cybersecurity Advisory for Public Water Suppliers from the Massachusetts Department of Environmental Protection provides not only reassurance for the state’s consumers, but a useful summary of how utilities can mitigate the risk of cybersabotage:
- “Restrict all remote connections to SCADA systems, specifically those that allow physical control and manipulation of devices within the SCADA network. One-way unidirectional monitoring devices are recommended to monitor SCADA systems remotely.
- “Install a firewall software/hardware appliance with logging and ensure it is turned on. The firewall should be secluded and not permitted to communicate with unauthorized sources.
- “Keep computers, devices, and applications, including SCADA/industrial control systems (ICS) software, patched and up-to-date.
- “Use two-factor authentication with strong passwords.
- “Only use secure networks and consider installing a virtual private network (VPN).
- “Implement an update- and patch-management cycle. Patch all systems for critical vulnerabilities, prioritizing timely patching of Internet-connected systems for known vulnerabilities and software processing Internet data, such as Web browsers, browser plugins, and document readers.
No attribution of Oldsmar water system cyber sabotage.
There’s no attribution in sight. The Washington Post’s Ellen Nakashima, covering former CISA Director Chris Krebs’s testimony before a House Homeland Security hearing yesterday, tweets that Krebs suggested the possibility of a disgruntled insider. “Florida water hack was ‘very likely’ the work of ‘a disgruntled employee’ @C_C_Krebs says at a House Homeland Security hearing,” she wrote, adding, “In later remarks, @C_C_Krebs clarifies: ‘It’s possible that this was an insider or a disgruntled employee. It’s also possible that it’s a foreign actor.’ ... But ‘we should not jump to a conclusion that it’s a sophisticated’ adversary.”
So there’s a range of possible threat actors, and public attribution at this point hasn’t gone beyond a priori speculation. Or even, as Domain Tools’ logician and ICS security maven Joe Slowik points out, mere tautology: "’A or not A’ isn't terribly helpful at the moment - we can infer some aspects on the entity responsible based on limited technical details, but still far removed from any clear assignment of blame.”
Not your Папы GRU.
Speaking of attribution, while this will probably have confused few, it’s perhaps worth noting that when Florida public officials talk about "the GRU," they don't mean what you might think they mean. “The GRU water system cannot be accessed remotely,” Gainesville Mayor Lauren Poe posted to Facebook. He means the Gainesville Regional Utilities, which serve the Florida university town. They don’t mean the Russian military intelligence service. Mayor Poe added, “Rest assured, water security and cybersecurity are a top priority of the GRU water system.” Oldsmar is down near Tampa, about a two-hour drive from Gainesville, so the mayor’s statement is reassurance to the jittery, not an acknowledgement of any connection to the Oldsmar sabotage. There is no such connection. And no one’s said the GRU pwned Florida water supplies.