One of the worst fears of humanity came true last week. Ever since cyberattacks started increasing in variety affecting organizations of all types and sizes, it was feared that cybercriminals would one day target the public infrastructure and attempt to sabotage the utility services. The cyberattack on the control systems at a water treatment plant in Oldsmar, Florida, has come as a rude shock.
For the uninitiated …
On Feb 5, a hacker remotely accessed a computer (hosting water treatment control system) being used by an operator at the Oldsmar city water treatment plant. The hacker had remote access for about 2-3 minutes, during which he raised the levels of sodium hydroxide in the water from about 100 parts per million to 11,100 parts per million. However, the vigilant operator noticed it and promptly reverted the settings, thus averting a disaster. Apparently, the hacker had gained unauthorized access to the water treatment control system through the TeamViewer application used by the plant’s operators.
Though the FBI and other enforcement agencies are conducting an investigation and exact information about the cause of the incident is yet to be ascertained, security researchers, quoting various authorities and sources, have opined that lax security practices have caused this attack. Specifically, they allege that:
- All computers connected to the plant’s SCADA system shared the same password for remote access.
- The TeamViewer account had full privileges allowing remote users to take complete control of the computer.
- The computers were connected to the internet without a firewall in between
- The computers were running outdated Windows 7 operating system.
Whatever be the actual cause, the fundamental issue boils down to unauthorized remote privileged access to a critical system.
Evolving threats, repetitive patterns
We witness a variety of attacks day in and day out and see hackers adopting innovative tactics. No doubt, the threat landscape is continuously (and rapidly) evolving. However, we do see a repetitive pattern in the attacks. The involvement of stolen credentials and misuse of administrative access are increasingly reported in many attacks. The attack on the control systems of Oldsmar city water treatment too seems to be falling under this attack pattern.
Cybercriminals are always on the lookout for administrative credentials. Many times, attackers don’t actually hack into networks; they simply royally walk-in using stolen, weak, or compromised credentials freely available on the dark web. They follow a few other simple techniques such as phishing emails to deliver malware and gain a foothold on machines. Known vulnerabilities that remain unpatched make their job easy. They then proceed to capture administrative credentials from hashes or through keystroke loggers and move across the network and finally perpetrate the attack by exploiting privileged access.
Neglecting fundamental security aspects often leads to deadly attacks
Combating cyber-attacks certainly requires a multi-pronged strategy. Many organizations concentrate on deploying sophisticated and advanced security arsenal but lose sight of the fundamental measures. If there are holes in the foundational elements, it becomes a cakewalk for hackers to grab the low hanging fruits.
Some of the most neglected security fundamentals include:
- Password security best practices
- Multi-factor Authentication enforcement
- IT access controls
- Timely patching to fix known vulnerabilities
Lack of these measures has led to some of the worst data breaches in recent times. Of these, poor password hygiene is perhaps the most notorious factor.
Reusing the same passwords across multiple resources is a recipe for disaster. Yet, this practice goes unchecked in many organizations. It is quite common to see the same passwords assigned to multiple IT assets; developers reusing passwords across their personal and work accounts; passwords on spreadsheets circulated across departments; a departing IT staff exiting with a copy of all the credentials, and similar practices.
When developers reuse passwords, a compromise of one of their personal accounts gives hackers easy access to corporate data. Uncontrolled or unmonitored access often leads to exploitation by malicious insiders. Weak security practices and vulnerabilities in the supply chain lead to breaches upstream.
When IT divisions enforce certain practices, end users come up with exemption requests or find ways to circumvent the process. Citing work priorities, users raise requests for relaxation when passwords are to be changed, when MFA takes force, when maintenance is due, when a monitoring system needs to be deployed, or when a scan is to be done.
A wake-up call to strengthen security basics
The Florida water plant hack underscores the importance of basic security measures. Strict adherence to basic security principles could have probably helped avert this incident.
Not all security incidents can be prevented - there is absolutely no magic wand or a silver bullet available yet. But by concentrating on the basics, IT departments can undoubtedly prevent a good number of attacks.
This is a wake-up call. IT divisions should review the measures in place to ensure security basics like checking ‘who’ has access to ‘what’; monitoring the systems exposed to the internet; keeping the infrastructure in top shape with timely patching and updates; controlling access to sensitive systems; ensuring that security controls are not relaxed or bypassed; and adopting password hygiene. This may sound too obvious but in reality, much neglected.