Learning from the Oldsmar Water Treatment Attack to Prevent Critical Infrastructure Breaches

469

By Tony Goulding, Cybersecurity Evangelist at Centrify

The consequences of a data breach can vary greatly depending on the intention of the adversary. Some hackers simply aim to cause disruption. Others extract valuable personally identifiable information (PII) to sell on the Dark Web, while others look to extort money due to ransomware. When a cyberattack is attempted against critical infrastructures such as hospitals, electrical grids, or water systems, the potential repercussions can affect thousands of individuals like you and me. It can be devastating — or even deadly.


The 2020 Global State of Industrial Cybersecurity report found that 74% of IT security professionals are more concerned about a cyberattack on critical infrastructure than an enterprise data breach. Over 65% believe that a cyberattack on critical infrastructure has the potential to inflict more damage.

The attempted attack on the Oldsmar, Florida water treatment plant in early February 2021 demonstrated the potentially dangerous and life-threatening consequences of compromised critical infrastructure. The attacker successfully infiltrated the computer system that controlled the water treatment facility and remotely manipulated a computer to change the water supply’s chemical balance. In particular, the increase of sodium hydroxide could have seriously harmed or even killed human beings. Luckily, a supervisor was able to catch the act in real-time and revert the changes.

After an investigation of the Oldsmar incident, it was revealed that the hacker was able to gain access because the computer system was using an unsupported version of Windows with no firewall. The system was also only accessible using a shared TeamViewer password among the employees. These two issues are widespread amongst critical infrastructure organizations and the private sector alike.

Despite being discovered and stopped, the incident amplified the discussion on how the government and private sector can prevent these attacks. While the federal government investigates more serious breaches, state and local agencies are left picking up the pieces for more minor attacks. Unfortunately, smaller municipalities do not have the resources to respond and will often be left struggling for hours, or even days, as the attack rages on. Therefore, it is vital to be proactive rather than reactive to reduce these cyber-risks.

The water plant breach demonstrated the importance of critical infrastructure organizations taking steps to implement the necessary security measures now to escape the consequences of a data breach later. Below, we outline the top actions these institutions can take today to protect themselves from attacks of this nature that leverage privileged credentials to achieve their goals.

Secure Remote Access for Administrators Without a VPN

The pandemic has changed the way most people work, with some companies not looking to return to office environments until the end of 2021 or 2022 (or ever). As a result, many companies have implemented virtual private networks (VPNs) to connect their employees safely and continue operations remotely.

Amid the chaos of switching to remote operations practically overnight at the beginning of the pandemic, many companies focused on regular employees. They failed to consider the extra access security that administrators require. These users – internal and outsourced IT, managed services providers, and other third parties – use accounts representing the “keys to the kingdom”; the highest potential value to hackers.

For many organizations, extending VPN-based remote access for the entire workforce was relatively quick and easy. However, VPNs introduce challenges and risks. With a VPN-less approach, IT overhead is reduced. The user workstation is not network-attached and so can’t transmit any virus or malware to the internal systems (a “clean source”) plus, IT overhead to manage policy management solutions such as Cisco NAC is avoided. It also constrains access to only the resources required for each individual and not the entire network, preventing lateral movement if a breach does occur.

Securing remote access, however, goes beyond the VPN. Critical infrastructure organizations need to evaluate how they protect access to privileged accounts and protect the systems where sensitive data lives. The best practice is to consolidate privileged identities and avoid standing privileges through the best practice of least privilege. Organizations must also ensure a high level of certainty that it is indeed a legitimate admin taking actions on the resources and not an adversary – as was the case with the water treatment facility.

Enforcing least privilege and adopting what is referred to as a “Zero Trust” approach means trusting no one until they have been adequately verified and validated, re-establishing trust.  Through self-service workflows, admins can request elevated privileged just-in-time for a limited time. This approach of verifying who is requesting access, the context of the request, and the access environment’s risk combine to mitigate the risk of a breach.

Vaulting Shared Passwords

The water treatment plant attacker was able to gain access to the network partially due to the same TeamViewer password being shared among its employees. While a shared password can be convenient, it’s a huge exposure. In fact, it is one of the easiest ways an adversary can gain access. If a disgruntled employee leaves and has access to the password, they can easily log back into the system if the credentials are not rotated. Potentially even worse, they can be sold to the highest bidder.

One step organizations can take to reduce the chances of a shared password being misused is password vaulting. This practice involves taking highly-privileged administrative accounts and passwords out of IT’s direct control and storing them securely in a software vault.

Roles and rights defined in the vault then control who is allowed access, when, and for how long – significantly reducing the risk of passwords being abused by internal or external threats. Password vaults include additional security features such as password rotation, password reconciliation, MFA, and a just-in-time access request and approval service.

Privilege Elevation

Organizations with more resources and mature privileged access management (PAM) implementations may augment the vault with privilege elevation controls. While the vault is excellent for protecting shared privileged accounts, privilege elevation protects the machine. It controls who can log in and what applications or commands they’re allowed to run once logged in. This is important because if a vaulted shared privileged account is compromised, the attacker can use it to log into systems masquerading as a legitimate user with a legitimate password. With a vault alone, the system can’t tell the difference.

Thus, both vaulting and privilege elevation are essential components of a mature PAM deployment. Still, privilege elevation has a much more significant positive effect on your PAM maturity and risk posture.

Multi-Factor Authentication

Forrester Research has estimated that 80% of security breaches involve weak, default, stolen, or otherwise compromised privileged credentials. Because organizations cannot often verify whether the user accessing data is who they say they are, multi-factor authentication (MFA) has become the gold standard for password security.

MFA requires an extra step to verify an identity beyond a username and password. Typically, it is recommended that the organization uses something the user knows, like a text code or PIN; something they have, such as a mobile device or smart card; or something they are, such as a facial or fingerprint scan. These additional verification factors can validate the user’s identity and provide an extra layer of security for the organization.

The Oldsmar water treatment plant incident should serve as an urgent reminder to organizations about taking precautionary steps before a cyberattack occurs. The consequences could be severe damage to the organization’s reputation and bottom line or perhaps endangering human lives. By implementing secure VPN-less remote access, vaulting shared administrative account passwords, enforcing least privilege with privilege elevation, and incorporating MFA everywhere, critical infrastructure organizations can arm themselves – and the citizens they serve – against adversaries.