Law enforcement authorities in Florida announced on Monday that a hacker had tried to increase the levels of sodium hydroxide in an attempt to poison the water supply. The hacker, who is still unidentified, gained access to a control panel that was password protected but accessible using TeamViewer, a remote control software, according to local authorities.
TeamViewer is a popular software that allows users to connect to other computers and use them remotely. According to its maker, there are 200 million users of TeamViewer worldwide. TeamViewer is perfect if you're the computer nerd in the family who has to keep your parents computers up to date and troubleshoot when they can't access the family pictures. It allows users to take full control of the target computer and use it just as if they were the person in front of the screen.
It's incredibly easy to use, but security experts say it's also a potential nightmare specifically because of how much access it has to the underlying computer. In some corners of the security world, TeamViewer has even become a meme because of insecure implementations. In other words, this may not be the software you want if you're managing critical infrastructure. And yet, it's widely used in those environments, according to experts in industrial control systems (also known as ICS).
"TeamViewer is almost ubiquitous in industrial environments, particularly since the pandemic started," said Lesley Carhart, a principal threat analyst at industrial control system security firm Dragos. "It’s not my ideal choice by any means for secure access to ICS environments. But there are ways to make it more secure if it’s the only available option."
Carhart said that for her, the ideal would be not to use TeamViewer and instead to set up a secure VPN to the organization's internal network, then a secured login with mandatory multi-factor authentication to an intermediate host, and then another secure login inside the network that controls the critical infrastructure. Using TeamViewer, she added, "kind of hops over that if you let it."
Chris Sistrunk, a technical manager at Mandiant who specializes in ICS security, and Patrick Miller, the U.S. Coordinator at the Industrial Cybersecurity Center, both agreed that's the ideal setup.
Do you know more about this hack? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
Sistrunk cautioned against blaming the victim, as "water utilities are struggling enough with aging infrastructure and clogged pipes as it is." He also pointed to a series of best practices published by the Water Information Sharing and Analysis Center (WaterISAC), a trade group that works with the U.S. Environmental Protection Agency, which explain a series of fundamental cybersecurity best practices that should be adopted inside critical infrastructure.
"Is it normal/OK to use TeamViewer...? Yes it is normal. No it is not OK," Miller told Motherboard in an online chat. "Many of us in the industry have memes for when we find TeamViewer…"
"This is an education or attitude problem. Allowing weak controls on remote access to critical systems is the issue," Miller added. "Someone either chose to do this for convenience with knowledge of the risks or they were ignorant of the risk and thought it wouldn’t be found (or that it was secure enough in this configuration)."
There's still a lot we don't know about the hack of the City of Oldsmar's water treatment system, and the details of how the hacker took control will be the key in knowing how much the water utility was responsible for not securing its systems. Either way, the good news is that the water utility caught the intrusion, which wasn't as subtle as it could have been. And it's unlikely an attack like this would have worked against other utilities either, according to experts.
"Even though the hacker knew enough to manipulate a dangerous chemical, this intrusion still feels a bit ham fisted," Carhart said. "In most environments the change would have been caught fairly rapidly."
Moreover, it's actually unlikely that the hacker could have really caused widespread harm. Most water systems have physical limits on how much of a certain chemical can be pumped into the process, according to Miller.
"It’s an actual physical size restriction." Miller said. "Meaning you just can’t physically move that much chemical through the system that fast. So, even if the [Programmable Logic Controller] accepted some crazy value like 1000ppm when it was expecting 10ppm (which is still unlikely), you couldn’t make that happen quickly because the physical equipment isn’t capable of doing it."
Subscribe to our cybersecurity podcast CYBER, here.