Oldsmar – under the radar, but a breach you need to know about

Published on: May 17,2021 Published in: Cyber Security Insights

Oldsmar, a small city near Tampa, Florida, scene of perhaps one of the most under published but dangerous breaches we have seen for a while. This may sound like the start of a binge-worthy Netflix documentary but this ‘hack’ has flown relatively under the radar and has some very relevant lessons to take away.

Read on, as Anthony Lloyd, our Head of Technology tells the tale and delves into why we should take note of this one. And most importantly what we should be doing to protect our businesses against these threats.

Watching the mouse move

You may not have seen it mentioned – some articles were published back in February when it was first reported, but many mainstream news outlets, even technology publications have not reported on it, or at the very least comprehended what it really means.

However the “hack” of a water treatment plant in Florida is a significant concern. Luckily in this case a member of staff, and by that I don’t mean a security professional or even one of those shiny security appliances with lots of flashing lights, no, a member of plant staff literally saw their mouse moving around the screen. The mouse went on to access the water plant’s control system and increase the amount of Sodium Hydroxide from 100 parts per million to 11,100 parts per million – the impacts of this would have had health implications to the 15,000 or so residents whose drinking water came from the plant.

Due to the nature of teamviewer, by that I mean the machine being remotely accessed, it was showing the attackers actions live on the plant operators screen. The staff member saw it as it happened and quickly changed the setting for the chemical back. Experts have said it would have taken around 24 hours before it actually impacted the water supply, so in this case no harm was done, however it is an extremely concerning situation and one where the outcome could have been deadly.

So, how did it happen?

Usually with Cyber Security incidents, all information is not available at the time or immediately after the incident. However, in this case, it would appear that most, if not all information has been published and unusually this is not going to take pages of text to explain how a nation state was targeting another. No, in this case it was a remote access product called TeamViewer, which was setup with poor security controls, weak and possibly shared passwords, no multi-factor enabled and to really round off the circle, little or no network security, so that once the computer was accessed this allowed access to the whole system.

Now in fairness this is not the fault of TeamViewer, the product did exactly what it is designed to do. Also deep down, I find it difficult to blame IT staff at the plant, they are trying to do the best they can with the skills and budget they have available. It is also reported that TeamViewer was installed because of Covid but to allow remote IT admin. This is certainly not unique, many organisations use TeamViewer/similar tools and when used correctly and secured can be a good, all be it, not perfect solution.

I started this by saying it was one of the most underrated breaches I have seen for a while, let me explain. In the last 12 months, we have seen numerous breaches that have made mainstream media and become subject of national enquiries. Back in early 2020, even Microsoft lost hundreds of millions of customer records. But that is the important point, Microsoft losing my details is obviously bad, however if we had to choose between losing my personal details and being poisoned by contaminated water or the power grid being brought down, I think we would all know where we sit. Even more concerning is that we are increasingly seeing these attacks in ‘cyber space’ where the impacts are felt in the ‘real world’, even causing danger to life.

What can be done?

The good news is that it is not all doom and gloom – Cyber Security more than ever is on the fore front of peoples mind’s. Recently, the UK Government announced a large budget to help with this and I really do believe it can improve things. We also have the NIS Directive in Europe, which covers sectors such as utilities. The only problem is as a global pandemic or even a container ship stuck in the Suez Canal shows, the world is more interconnected and dependent on each other than ever before. So even if the EU and UK get it correct, Cyber Security is a wider issue that all nations need to tackle.

As ever, here’s what you should and should not being doing to protect yourself.

If possible, use a network level remote access solution such as a VPN client, this is not as expensive as enterprise grade as you may think, some solutions are free and run on existing Small Business Hardware and as long as kept patched are much more secure.

If you are going to use a remote solution such as TeamViewer or LogMeIn, use the security controls they allow, namely use strong passwords. ALWAYS use Multi Factor, if a product does not support it, look elsewhere. Have named accounts and manage users when they move or leave.

Do not flatten your network, if possible, use network level separation such as VLAN to separate your most sensitive systems so they can only be accessed by specific users and devices. If you cannot do this, at least ensure applications are secured by different credentials so that even if someone was to gain access to your desktop or network as a client, they have limited access.

Always patch your operating system and applications (especially ones that allow remote access!) and don’t forget your network devices, this is even more important if you are using it as a VPN endpoint as per the first point. Yes patching is a pain and balancing system availability is important, but remember, even a bad patch schedule is better than no patch schedule. Also don’t forget to include a process for out of band or unscheduled patches, if the vendor feels they are important enough to release out of band, you should at least review them to see if it impacts you.

For further information or if you would like to discuss how to best protect your organisation, feel free to contact me at i3Secure (info@i3Secure.co.uk). We are here to support, we are a business who wants to do the right thing and we offer complimentary consultations. Please get in touch.

Related Insights

Forces Friendly Insights News

Harnessing the Value of Mentorship: From the RAF to i3Secure

October 26,2023
Insights News

Matt Chapman Joins i3Secure

September 26,2023
Insights News

International Women in Cyber Day: Reflections from COO and Principal Consultant Vici Fox

September 1,2023
Insights News

i3Secure Welcomes Consultant Steen Stewart

July 25,2023
Forces Friendly Insights

From the Military to Cyber Security: Making the Leap

June 16,2023