ICS under fire: Water treatment plant hacked

Industrial Control Systems (ICS) are like a little brother who is slow on the uptake compared to grown-up IT. Although ICS can do almost anything that IT can do, uses the same protocols and is similar in design to its big brother, it is still not taken seriously enough. This might sound negative, but there’s no other way of looking at headlines about the security incident at a water treatment plant in Oldsmar, Florida. Reports suggest that a hacker was able to compromise the plant’s ICS and increase the amount of lye added to the water supply by a factor of 100. Although the chosen value could not have been physically implemented and an employee detected the incident within a few minutes, the media was still quick to credit mastermind hackers.

Simple solutions to simple problems

Switching off or contaminating the water supply is certainly dangerous and we wouldn’t want to trivialize an essentially severe incident but when you look carefully this incident has absolutely nothing to do with mastermind hackers. They simply used TeamViewer. If you are concerned at this point that there might be a new zero-day vulnerability in TeamViewer you can sit back and relax – all the attackers needed were compromised credentials. To add insult to injury, this could have been avoided with two-factor authentication, which is not a new technology, free of charge and can be enabled with just one click in TeamViewer. Perhaps the headline of every story and blog post about Oldsmar should have the following headline: IT staff ignore basic security measures. This is unacceptable in 2021, completely unnecessary and scandalous.

Instead, the news is full of distractions which have nothing to do with the actual problem. For example, that the TeamViewer instance was running on Windows 7, which has not received any security updates from Microsoft for some time. This might be true, but it is irrelevant here. Or that TeamViewer has similar functions to a Remote Access Trojan (RAT). This is also true, but conversely a RAT is like remote maintenance software, only with less nice features. TeamViewer is a widely used, fully legitimate remote maintenance application with several million installations, including enterprise users. However, whether you should deploy TeamViewer in a critical infrastructure is another question − there is nothing wrong with using TeamViewer for remote access per se – just as long as you don't ignore the most basic security measures.

Anyone can implement 2-factor authentication

Nothing about the Oldsmar hack, if you want to call it that, has anything to do with ICS exploits, but a lot to do with a blatant disregard of basic information security. You don’t even have to dig into NIST publications to find comprehensive information on security for ICS environments in 800-82. What went wrong here is recommended in almost every popular household magazine once a year. The technical expertise required for this is so low that blaming poorly trained staff simply cannot hold up. Two-factor authentication on TeamViewer requires a cell phone number and a few clicks in a graphical user interface. Many reports might blame strained equipment and staff resources but we have to remember that this is an industrial environment with extremely high safety standards. If pumps, motors and large moving machines are not secured sufficiently to avoid endangering life or limb, the plant would not be allowed to operate and there would be plenty of heat from the supervisory authorities. It’s not likely that anyone would claim a lack of funding, training and expertise for dealing with safety issues because everyone is aware how important safety is. But awareness is still lacking for IT security.

State of the art security systems for ICS

All remote connections are particularly critical for both ICS and IT systems and need to be secured carefully. There is most definitely a reason why almost all companies ensure that their employees access company networks via VPN, and why many have already introduced two-factor authentication. After hundreds of incidents and thanks to many standard frameworks, IT security is finally being taken seriously, meaning that embarrassing incidents like in Oldsmar are few and far between. But ICS is still lagging behind its big brother IT by mistakenly prioritizing convenience above everything else and completely neglecting IT security. Well, if it's always gone well so far... Unfortunately, it didn't go so well in Oldsmar.