This week’s attack on a Florida city’s (Oldsmar) water treatment system was not sophisticated, nor were the protection measures that prevented its potentially deadly outcome. That’s what makes this attack so concerning.
Because back in July 2020, the NSA and CISA warned of the perfect storm facing critical operations reliant upon operational technology (otherwise known as OT). They strongly warned that the underlying technologies enabling critical operations in industries ranging from energy and utilities to manufacturing are massively and increasingly vulnerable with every passing day, actively under attack, and those being attacked do not have the visibility required to effectively identify and respond to such attacks.
The other reminder for some and wake-up call for others issued through the same advisory was that the threats themselves range from script kiddies to nation states. Open information sources (e.g. Shodan) and penetration testing toolkits (e.g. Metasploit) being used by practitioners and bad actors alike make it easier than ever for any actor with malicious intent to identify and exploit critical OT vulnerabilities.
In summary, a bad actor gained unauthorized remote access to Oldsmar’s water treatment systems and increased the levels of a chemical known as sodium hydroxide, commonly referred to as lye, by a factor of 100. If ingested in high amounts, this chemical can be deadly.
The bad actor gained access through the TeamViewer solution, which had been previously deployed to enable legitimate remote management of water facility systems. It’s most likely that account credentials were simply compromised and were unprotected by an effective MFA capability, token-based or otherwise. The proverbial ticking time bomb.
So what actually stopped this attack in its tracks and helped avoid a potentially deadly event? An individual that happened to be staring at a screen. Yes, that’s it.
Why Is This So Concerning?
If a utility or critical infrastructure provider is unable to systematically protect against or rapidly detect and respond to the unauthorized or misuse of a remote access solution into the systems that matter most to operations and even downstream lives, what about a more sophisticated attack executed by a nation state actor? If the story in Florida involved a bad actor exploiting one of the many vulnerabilities associated with invisible IoT devices or critical OT devices built to stand the test of time, we would likely be having a very different conversation.
We’re vulnerable, we’re under attack, but we’re not yet moving fast enough in gaining full visibility into our critical OT environments and our integrated unmanaged devices that are at risk for exploitation or disruption with potentially material impacts.
We’ve already been warned by the US intelligence agencies with unparalleled visibility into the attack surface facing these environments and the range of bad actors exploiting the attack surface to achieve their malicious outcomes. We also continue to see escalating examples of such attacks with the potential to disrupt human lives, with this being only the latest in a growing string of real world examples that highlight the importance of securing not only remote access but critical systems that fall outside of traditional IT categories (e.g. servers, PCs, tablets).
More sophisticated bad actors are also likely looking at this event as a reminder of the potential and now the ease of targeting such operations. Unfortunately, the ransom that could be demanded if a bad actor was able to gain full control of such a utility management system would likely be unparalleled- and they’ve just been reminded of how easy this may be to execute.
The threat is real, as is the opportunity to mitigate underlying risks of exploitation, disruption, and even impact to human life.
What Should Critical OT Operations Take Away From This Incident?
Step One – Ensure Alignment. If your operation is critically reliant upon operational technology and Cybersecurity and OT/Engineering functions and have not already started aligning on a strategy and plan to establish a baseline understanding of risk and a prioritized mitigation game plan, this should be step one.
As the protection of OT environments and devices was rarely in full scope for cybersecurity until recently, cyber’s visibility and contextual understanding of these environments has historically been highly limited. With the ever-present and growing threat of OT operation disruption, it’s arguably necessary to accelerate the closure of this visibility gap using modern solutions built to understand non-traditional devices and help manage the risks around such devices.
Step Two – Review Your Tools. Modern technologies such as Armis allow for the continuous, passive, and contextual mapping and monitoring of these environments and their devices, eliminating the potential for our tools to result in the operational disruption that we’re building to avoid. Context also means tracking the behavior of devices and their connections over time to ensure you understand when a device starts behaving suspiciously or maliciously.
Step Three – Address The Edge. Also, let’s not lose sight of the basics. Edge access remains critical and should always be tightly controlled, require multiple pieces of authentication to prove identity, and continuously monitored for abnormal and potentially malicious activity. For those that have yet to take the time to assess and secure the various methods of remote access in their environments, this should be a top priority and a recurring activity going forward.
Many enterprises are effectively protecting themselves against such attacks by employing such a strategy. This should be the reminder for the rest of us that the risk is real, as is our opportunity to safeguard our operations and downstream consumers.
To learn more about how Armis can help to secure your OT environment, check out our white paper.