The dust (new details/disclosures) seems to be settling on the incident at the Oldsmar, Florida Water Treatment Plant that occurred on February 5, 2021. If you haven’t already, now is a good time to assess that your utility is not as vulnerable to the same basic cybersecurity shortcomings that reportedly contributed to the incident and/or have been identified during the investigation.
- Internet exposed devices. With the ease that internet exposed devices are discoverable through widely available tools such as Shodan, it is imperative for every utility to inventory every device on its network and discover anything potentially exposed to the internet before the bad guys do. Once devices and access are discovered it is necessary to minimize exposure through network segmentation devices and software that restrict unauthorized traffic.
- Shared passwords. Multiple resources have stated that a shared password was used for the TeamViewer instance, and it is believed the same password was used to login to the session when the chemical adjustment was made. Furthermore, Forbes reports “that same password was used on all of the plant’s computers.” Passwords should never be shared. Multifactor authentication should be employed wherever/whenever possible. There are multiple reasons not to share passwords, one of which means that any leaked credentials (which may have occurred in the Oldsmar case) give away the keys to the kingdom.
- Dormant remote access software. Among other unrecommended configurations, it was disclosed that the TeamViewer software leveraged in the Oldsmar incident had not been used for approximately six months. The use of TeamViewer notwithstanding, remote access, while practical (albeit not preferred), should never be perpetually enabled (24/7/365). It is recommended to enable remote access when needed and disable after each session. However, while it may seem necessary to enable remote access for a protracted duration, at the very least it should be done in a secured fashion, not plug ‘n play, exposed to the internet (see #1) with a shared password (see #2).
Additional considerations for securing remote access include:
- Identify internet accessible OT devices on your network through an internet search (such as Shodan, Censys, Google, etc.) before the bad guys do
- Implement network segmentation to limit lateral movement
- If remote access is absolutely necessary, use a securely configured VPN
- Filter traffic with methods such as whitelisting or geo-blocking to prevent access from unauthorized persons or places
- Encrypt traffic
- Use non-trivial authentication methods (at the very least, enforce strong and unique passwords and multifactor authentication)
- Configure access for user accounts with the absoute least privilege to accomplish the task (do not allow administrator access and consider applying zero trust)
While addressing the basics doesn’t make anyone bulletproof, it does go a long way to improving cybersecurity posture, regardless of actor intent or motivation. Furthermore, it is recognized that resource constrained utilities often lack the information necessary to implement even the most basic secure configurations. And while what occurred at Oldsmar is unfortunate, it is hopeful their transparency propels cybersecurity forward for the smaller critical infrastructure utilities by way of much needed assistance, training, and broader information sharing to help everyone. For more of the basics, please access WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities.