The attack on the water treatment facility located in Oldsmar, Florida, disclosed last week highlights security shortages in the water utility sector and the rest of the U.S. critical infrastructure sector.
In this interview with Cecilia Marinier of the RSA Conference, SCYTHE CEO Bryson Bort breaks down how the attackers gained access and speaks to the multiple issues we are facing today with ransomware and critical infrastructure.
Leveraging remote access and software systems to attack water treatment facilities, although rarely seen, has been predicted for many years. Bryson Bort, along with ICS Village co-founder Tom VanNorman, demonstrated this possibility during an Atlantic Council event several years ago.
The days of only investing in preventive controls to stop an attack are long gone. Breaches are inevitable. The real question all organizations should be asking is how quickly they are able to detect, respond, and ultimately mitigate future intrusions.
Q: How did the attacker gain access to this water treatment facility?
A: There was unauthorized access through a remote desktop application called TeamViewer. TeamViewer is an extremely common tool used in IT environments for troubleshooting. This hacker most likely accessed that human-machine interface (HMI) which presented a simple visual representation of the system and allowed them to make changes.
Q: What did the attacker do when logged on to the system?
A: The attacker logged in and the operator on duty watched as the mouse moved slowly across the screen to change a particular chemical additive to what could have been a possibly dangerous level. The operator watched the unauthorized intruder log out, and then changed the chemicals back to a safe level. In this case, there was no actual damage done since this attack was being observed in real time. However, this attack has been a huge wake up call to understanding potential future threats and how dangerous they can be.
Q: Occasionally, breaches occur because critical infrastructure is made up of old software that hasn’t been updated. Was this the reason for this breach?
A: We know for certain that this hack was done through TeamViewer. In this case, as we often see with threats to industrial control systems, this was an individual simply using the system in the way that it was designed. The hack was intended to send unauthorized commands that would push the levels out of tolerance to potentially cause harm.
Q: How can one tell the difference between a regular computer and an industrial control system?
A: Industrial control systems are at least twenty years old. The upside to industrial control systems that provide a certain level of security is that these systems are more obscure and not everybody is familiar or understands how they work.
Q: What is the big picture message regarding critical infrastructure industries, that will allow people to be more prepared in the event that a similar attack happens in the future?
A: Thankfully, this attack was resolved before it caused any actual damage. However, this could have been extremely costly if performed by a more advanced adversary or paired with something like Ransomware. Ransomware is a huge concern and can cause critical infrastructure to be even more vulnerable.
Q: Was this attack a trial run for something bigger?
A: Coincidentally, this happened on the Friday before the Super Bowl at a water plant right by Tampa Bay. We can only speculate on whether or not this was purposeful. This particular water treatment facility did not actually affect that part of Tampa so this could have been a mistake. This looks to be more of an opportunistic amateur who operated during normal business hours, not even trying to hide their actions.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.