- Similarities between electric and water utilities mean the power industry should pay close attention to the recent hacking of a Florida water treatment plant, according to security experts. Hackers used a piece of software called TeamViewer to access the plant's supervisory control and data acquisition (SCADA) systems.
- Cyber criminals attempted to significantly raise the amount of lye added to the water supply of the city of Oldsmar. The attack was thwarted by plant personnel and experts say it was not a sophisticated effort.
- "This is not really the fault of TeamViewer as much as the users in this case just not securing their passwords or access rights," said Gary Kinghorn, marketing director at Tempered, which specializes in network security. The plant's computers shared passwords and ran outdated operating systems, according to a Massachusetts government warning to water companies.
It's been just two months since news broke that a sophisticated and widespread hack, SolarWinds, breached hundreds of companies and several government agencies.
"You hate to say it's almost becoming a footnote," said J.D. Henry, a regional advisor to the U.S. Cybersecurity and Infrastructure Security Agency. Henry spoke Wednesday about securing water supplies at a winter policy summit hosted by the National Association of Regulatory Utility Commissioners.
"These things continue to happen. We see these things growing," he said. "Attackers are getting better than most defenders."
In the Oldsmar incident, however, experts say there is little evidence this was a complicated attack.
According to the alert from Massachusetts officials to public water suppliers, the computers used by Oldsmar personnel "were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system. Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed."
A notification published by the Federal Bureau of Investigation said hackers "likely accessed the system by exploiting cyber security weaknesses including poor password security, and an outdated Windows 7 operating system to compromise software used to remotely manage water treatment."
Kinghorn says the hack illustrates the importance of maintaining critical infrastructure with a "virtual air-gap" from remote access, and says there are software solutions to ensure systems are not reachable by unauthorized attackers. Electric utilities should be paying attention to this event, he said.
"There's a lot of similarities between water and electric utilities," Kinghorn said. "They are both mission critical and there is a chance to do real damage. They are both comprised of systems difficult to maintain, patch and secure, and yet you still need remote access. ... As more administration needs to be done remotely, you're going to need to figure out how to get these systems securely accessed. People are not taking it seriously."
In the case of the Oldsmar hack, Kinghorn said "there's no indication this was a sophisticated attack at all," and has more to do with a lack of security hygiene.
The TeamViewer software accessed by hackers is widely used, said Jerry Ray, chief operating officer at cybersecurity company SecureAge.
"We use it more frequently since the pandemic started," said Ray. "It's very broadly used, and by customers who would never have allowed it in the past" due to security concerns.
The TeamViewer software allows for remote control and desktop sharing. The company describes it as a "comprehensive remote access" solution and says the application has 200 million users worldwide.
TeamViewer, in a statement, said it is "in close alignment" with law enforcement, and "based on cooperative information sharing, a diligent technical investigation did not find any indication for suspicious connection activity via our platform."
Experts say the attack also illustrates the dual skill sets hackers need to remotely attack industrial control systems.
"This was very unsophisticated and clumsy from the IT side, but from the water treatment side it was rather complicated," said Ray. "If it was a nation-state, anyone who was trained, with significant funding, we would never have known about it."
The preferred security solution for industrial control systems at critical facilities includes multi-factor authentication, remote access through encrypted tunnels, identity-based policies set in conjunction with remote access programs, and military grade encryption, said Kinghorn.
"You should be able to close up these holes with enough focus. It's just a matter of realizing there is some sloppiness there," he said. However, "I think we're going to see more of these things in the future."