Understanding Florida’s water treatment hack, and how to stop future attacks

At the onset of the pandemic, organizations rushed to deploy remote access to prevent costly interruptions and adapt their workforces to COVID-19. Unfortunately, hasty digital transformations left behind a patchwork of remote access capabilities vulnerable to exploit, particularly in operational technology (OT) environments. As a result, we’ve witnessed a number of attacks on industrial operations, including most recently the attack on the water treatment facility in Oldsmar, Fla.

With the growing convergence of IT and OT, connected operations have become vulnerable to the same threats as their IT counterparts – with remote access creating a bridge for hackers to make their way into OT environments. These system breaches can have widespread reach leading to catastrophic repercussions, and in Oldsmar’s case, they could have even been fatal.

Understanding what went wrong

In early February, attackers took control over one of Oldsmar’s water treatment plant systems, increasing the amount of sodium hydroxide (aka lye) by 11 times. If an operator had not noticed the inconsistency and quickly reversed it, we would have had a major safety event.

The cause of the compromise has been traced back to the treatment plant’s use of Windows 7 – an operating system no longer supported by Microsoft. Investigators believe that hackers may have tapped into the system by exploiting weak password protection and likely used TeamViewer – a desktop sharing software – to gain unauthorized system access. In this instance, once hackers gained access through a single point of entry, namely the Windows 7 machine, they tapped into the treatment center’s operational equipment – all remotely.

In other words, the Oldsmar setup reflected at least four security vulnerabilities:

The exploitation of a single point-of-entry. A Windows machine with a weak machine-level password.

Reliance on the machine-level password, with no requirement for user-level authentication. The attacker did not have to prove they were an authorized user, knowledge of the one machine-level password was sufficient to execute the attack.

Unterminated direct-access protocols exposed on the internet. It was Team Viewer in this case – for another organization it could have been RDP or VNC. These direct-desktop-control protocols are open to attack when exposed publicly. Security teams must proxy them via a secure termination and authorization system.

Open access from the Windows machine to other operational components without any additional policy enforcement. The attacker should have had to prove that they were authorized to adjust the lye level, but in this case, mere access to the Windows machine was sufficient to let them make changes.

The Zero Trust approach

In scenarios like these, a Zero Trust approach to OT remote access can make all the difference. It uses unique identities and credentials for users and apps to secure OT, only granting authorization via a limited set of specifically-defined policies. Such an approach requires that:

Device/machine passwords are part of the managed identity system, ensuring the passwords are always complex and difficult to guess.

Users must authenticate themselves before being granted any further access.

Direct access protocols are terminated on-site, with proxy access granted only to authorized users.

The principle of “the least amount of access for the least amount of time” – a core tenet of Zero Trust – ensures that access to a single entry point does not grant users the broad ability to access and make change systemwide.

Particularly when attacks on industrial control systems (ICS) and OT have increased exponentially, it’s critical that organizations adopt Zero Trust – not just to protect themselves, but to ensure that stakeholders across the supply chain are also secured. As malware has become more sophisticated, aggressive attacks can traverse traditional stopgaps, spreading throughout IT, OT, and the cloud. As witnessed in the SolarWinds incident, these breaches can metastasize in stealth, impacting participating customers and partners.

The way forward

Organizations have often lacked the internal infrastructure and capital necessary to implement Zero Trust principles. More recently, Zero Trust solutions have become more accessible both in cost and via the cloud––allowing organizations of any size to properly implement Zero Trust. Products are also available that overlay new and legacy assets to avoid costly cybersecurity-driven equipment obsolescence. And with self-configuring software available, customers can even deploy Zero Trust remote access in minutes.

In today’s remote-first world, it is imperative that organizations embrace a Zero Trust approach as a fundamental tool to secure operations, as well as to improve their safety, efficiency, and accessibility. Otherwise, organizations will continue to experience damaging and costly hacks. Experts estimate that paid ransomware demands in the United States alone could total $1.3 trillion annually, averaging $178,000 per payment––reaching $620,000 with cleanup costs. Few organizations can afford such costs, let alone the reputational damage.

Duncan Greatwood, chief executive officer, Xage