News on the Oldsmar, Florida, water treatment incident
The FBI hasn't had anything to say about the progress of its investigation into the Oldsmar water system cybersabotage incident (and neither have the Secret Service and local law enforcement authorities), but yesterday the Bureau did tweet renewed encouragement to "remind you how important cybersafety is to protecting the American public and U.S. critical infrastructure."
The FBI encouraged its Twitter followers to read the Cybersecurity and Infrastructure Security Agency's latest Alert on the incident. CISA offers a good bit of sound and generally applicable advice on digital hygiene and best security practices. One part of the agency's alert, however, is specific to water utilities and how they should secure their cyber-physical systems. "Install independent cyber-physical safety systems," CISA writes, explaining that "These are systems that physically prevent dangerous conditions from occurring if the control system is compromised by a threat actor." Such safety system controls would include the "size of the chemical pump, size of the chemical reservoir, gearing on valves," and "pressure switches, etc."
Other water systems reassure users that they're safe.
The Dayton Daily News says that the City of Dayton, Ohio, whose water system supplies more than four-hundred-thousand people in the city and surrounding county, thinks it's unlikely to suffer the same kind of attack seen in Florida. Dayton decided eight years ago that its water control systems would not be connected to the Internet, and that it uses teams of security watchstanders as well as redundant safety systems to protect its utility from sabotage.
Florida's Port Charlotte Sun reports that water systems in the southwestern part of the state tell the newspaper that they're unlikely to go the way of Oldsmar. "That’s because remote access at treatment sites is either nonexistent or limited to select administrators, and not to outside vendors, as was suggested in the Oldsmar data breach, locals officials say."
Wisconsin's Department of Natural Resources has joined its Massachusetts counterpart in urging local water systems to upgrade their cybersecurity, Government Technology reports. Wisconsin has six-hundred-eleven local water utilities, and the Department of Natural Resources urges them all to at least install firewalls and use strong passwords. That this advice would seem necessary is not particularly reassuring. That the state of Wisconsin alone has more than six-hundred local water systems suggests the extent of the security challenge, and the very large number of potentially vulnerable attack surfaces.
Lessons for critical infrastructure.
Mieng Lim, VP of product management at Digital Defense, Inc., wrote that Oldsmar should provide a lesson for other infrastructure sectors:
“The incident at the Oldsmar, Florida water treatment plant is a reminder that our nation’s critical infrastructure is continually at risk; not only from nation-state attackers, but also from malicious actors with unknown motives and goals. Our dependency on critical infrastructure – power grids, utilities, water supplies, communications, financial services, emergency services, etc. – on a daily basis emphasizes the need to ensure the systems are defended against any adversary. Proactive security measures are crucial to safeguard critical infrastructure systems when perimeter defenses have been compromised or circumvented. We have to get back to the basics – re-evaluate and rebuild security protections from the ground up.”
But other incidents of cybersabotage also have lessons for water utilities. Domain Tools' Joe Slowik, blogging about Oldsmar, reviews four other high-profile attacks that successfully hit control systems: the Stuxnet attack on Iranian uranium-enrichment centrifuges, the GRU's disruption of local Ukrainian power distribution in late 2015, Russia's repeat performance against the grid around Kiev in 2016, that time with Industroyer/CRASHOVERRIDE wiping, and 2017's Triton/Trisis attack on a Saudi petrochemical facility. All of these were at least to some extent successful, which the Oldsmar cybersabotage attempt was not, and all of the earlier attacks were evasive, which Oldsmar also was not.
"Overall, these four examples of high-profile, technically complex ICS attack scenarios emphasize a critical barrier to adversary success: the ability to evade, influence, or outright deny operator visibility into and control over ICS environments," Slowik writes. "In all four examples, the attacks required some mechanism to hide from operators or deny their ability to correct or mitigate changes made to operating parameters." That wasn't the case in Oldsmar. The attempt there was neither complex nor obscure. Water utilities and others may not be so fortunate the next time around.
Identifying and managing cyber risk to control systems.
The three vulnerabilities most often mentioned in connection with the Oldsmar cybersabotage have been password-sharing (a matter of cyber hygiene), use of beyond-end-of-life software (a patching and updating issue), and the use of TeamViewer for remote access to control systems. Jeremy Turner, Head of Threat Intelligence at Coalition, wrote to point out that TeamViewer is far from the only software used for remote access, and that, moreover, it's not even one of the less secure tools employed for that purpose:
“TeamViewer is the lightning rod in this story, but the reality is that it is just one tool on the cyber criminal’s toolbelt. It is likely that a separate malware infection scraped the TeamViewer credentials, which the threat actor then used to remotely access the system via TeamViewer. But TeamViewer is still more secure than other cybersecurity weak spots like RDP, since it doesn't present itself as an easily detectable signal.... TeamViewer is not the only technology in this category that gets used this way, but it's part of an attacker method known as ‘living off the land.’”
Chris Hickman, chief security officer at digital identity security vendor Keyfactor, reminds us that, with the industrial IoT, it's at least as important to authenticate devices as it is to authenticate users. "If your only line of protection is user authentication, it will be compromised. It's not necessarily about who connects to the system, but what that user can access once they're inside," he wrote. "If the network could have authenticated the validity of the device connecting to the network, the connection would've failed because hackers rarely have possession of authorized devices."