All eyes are on the Oldsmar, Florida Water Treatment Plant incident at the moment, and not just the security community’s. The water and wastewater sector is getting quite a lot of attention from mass media and the security community alike (it seems like even more than SolarWinds), particularly with respect to smaller water/wastewater systems and their need for cybersecurity assistance – a need that has been near and dear to WaterISAC’s heart (and the ICS cybersecurity community) for nearly two decades. In an attempt to avoid the information overload, let’s focus on some of the more interesting points and observations that are continually being disclosed (or surmised). For a review of the initial details of this incident, please visit our original Advisory and considerations.
- A CNN article cites seemingly additional information about the particular TeamViewer instance having not been used for about six months. If this is indeed the case, then it is a great validation for the importance of continuous asset management/inventory. Not just to remove the latent software from the network, but an asset review should also reveal its unsecured exposure to the internet (see the Forescout post below for five crucial risk assessment questions). Couple this information with a Tweet by a respected security researcher having discovered a potential credential dump that appears to be for Oldsmar [.]fl [.]us – at the time of this writing, the age of the data is unknown, but is at least notable, nonetheless.
- There have been repeated statements about the computer that TeamViewer was installed on was running an outdated (Windows 7) operating system. Unfortunately, this is a common occurrence with smaller organizations broadly, and continually needs addressed. However, from what has been disclosed thus far, this is not a factor in this case. The operating system was not exploited, the unsecured TeamViewer, along with the seeming lack of basic cybersecurity hygiene was exploited – a vulnerability doesn’t have to be “technical” in nature to be exploited.
- As mentioned above, many resources are echoing the need for greater training provided to smaller utilities, including this one published at CSO, which quotes WaterISAC’s Managing Director, Michael Arceneaux, among others. While this isn’t a new observation, perhaps the microscope and wider exposure to this larger audience might move the needle forward and get the under-resourced utilities across all sectors the help they need. And it’s not just that the help is lacking, in many cases the smaller utilities just don’t know about the help that does exist, and that’s something that WaterISAC has endeavored to overcome since its inception.
- As the dust settles on Oldsmar, the rest of us (large and small) should be playing Monday morning quarterback and asking the questions on how to avoid this happening at our facilities – if you haven’t already. For those who simply didn’t know where to start (or haven’t accessed WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities), these questions from Forescout and considerations posted at BankInfoSecurity break it down into manageable chunks that will propel your cybersecurity posture and incident response forward. For those who tackled this head on when the news broke, we ask that you share your response experiences with us soon.
- Finally, while some of the facts still don’t set well with the security community, especially given outstanding questions, don’t get caught up in the minutiae. For instance, recent comments made by former CISA director Christopher Krebs could be misleading if not taken as a whole. In an SCMagazine post, Krebs was cited stating possible theories as to the identity of the actor, while other posts downplayed additional comments from Krebs that it was way too early to speculate and that is why we do investigations. In this light, it is important to remember that there are always alternative theories that need to be considered. Investigators/incident responders cannot afford to simply (blindly) proceed based on a confirmation bias because it is what they want to believe. It is hopeful that this all-encompassing theory approach is being applied here. So, regardless of the “facts” we want to know, we need to be cautious and not read into things such as former director Krebs statement regarding alternative theories and that no plausible stone should be left unturned. Quite honestly, I (Jennifer Lyn Walker) think everything is plausible in this case – even the lack of sophistication doesn’t necessarily rule out state-sponsored activity, depending on motive/intent/goal, but it does seem/appear less-likely than competing theories.
Additional posts on Oldsmar, not necessarily discussed above:
