Florida Water Treatment System Breach: Employees Shared One TeamViewer Password
In the wake of an attack in which a hacker gained access a Florida water treatment plant's network and altered the amount of chemicals being added to drinking water, the FBI released a Private Industry Notification (PIN) warning that "the cyber actors likely accessed the system by exploiting cyber security weaknesses including poor password security, and an outdated Windows 7 operating system to compromise software used to remotely manage water treatment. The actor also likely used the desktop sharing software TeamViewer to gain unauthorized access to the system."
Remote access applications, such as TeamViewer, should be configured with unique credentials for each user, and Internet-exposed entry points need to support MFA and include a firewall. All these also need to be actively monitored for abuse. Old unsupported operating systems, such as Windows 7, which cannot be updated to Windows 10, need additional mitigations, such as an external firewall, to protect them from modern attacks. CISA Alert AA21-042A includes analysis and additional logical and physical mitigations to incorporate if your enabling remote access to control systems. https://us-cert.cisa.gov/ncas/alerts/aa21-042a
When signing up for a new TeamViewer account, the user is prompted to set up two-factor authentication. TeamViewer also offers integration with single sign-on systems for enterprise use. Looks like either may have prevented this breach but was not enabled. The old version of Windows may have been required to run the particular software, and it does not look like it contributed to the breach.
Everyone has probably seen the "Rubin's Vase" optical illusion that to some people looks like a vase and to other people looks like two faces staring at each other. Incidents like this one at the Oldsmar water treatment plant happen frequently and can be viewed two different ways: (1) employees who didn't care about security doing very dangerous things violating well-known security policies enabled an attacker; or (2) mission requirements demanded remote access, no secure approach was provided and the employees did what they had to do to keep the water treatment systems running. The pandemic forced rapid movement to Work-From-Home and exposed a lot of number 2 out there, especially in smaller organizations.
Any and all utility controls attached to public networks MUST employ strong authentication. This one measure will reduce risk by eighty to ninety percent. Shared passwords, on the other hand, reduce accountability and otherwise increase risk.
William Hugh Murray
Read more in
Ars Technica: Breached water plant employees used the same TeamViewer password and no firewall
ZDNet: Following Oldsmar attack, FBI warns about using TeamViewer and Windows 7
KrebsOnSecurity: What's most interesting about the Florida water system hack? That we heard about it at all.
Vice: Why Cybersecurity Experts Hate TeamViewer, the Software Used to Tamper With Florida Water Supply