Remote-Access Software Cause Of Breach At Oldsmar Water Plant

OLDSMAR, FL — A federal Joint Cybersecurity Advisory is reporting that hackers used a popular desktop-sharing software to breach the computer system at Oldsmar's water treatment plant, raising caustic chemicals to dangerous levels.

The announcement Feb. 5 that a hacker was able to penetrate the water treatment plant's security system and increase the level of sodium hydroxide in the water to potentially lethal levels reverberated throughout the country.

Cybersecurity experts have long warned that the country's critical infrastructure is vulnerable to cyberterrorist attacks.

Now that it's occurred, the FBI and U.S. Secret Service are investigating how it happened and what can be done to prevent it from occurring elsewhere.

Around 8 a.m. Feb. 5, a water treatment plant employee charged with monitoring the chemicals in the water levels noticed that someone had entered the plant's computer system.

Initially, the employee wasn't concerned because supervisors are able to access the system remotely to troubleshoot problems. Then the employee saw that someone spent about five minutes adjusting the sodium hydroxide in the water from 100 parts per million to 11,100 parts per million.

"This is obviously a significant and potentially dangerous increase," Pinellas County Sheriff Bob Gualtieri said. "Sodium hydroxide, also known as lye, is the main ingredient in liquid drain cleaners.

According to the advisory, the hacker was able to carry out the attack by compromising a remote-access software program called “TeamViewer” that was installed on the computer of one of the water plant's employees.

It's a scenario the National Cyber Investigative Joint Task Force, led by the FBI and composed of more than 30 agencies from the intelligence and law enforcement community, feared.

At the National Cybersecurity Summit Sept. 16, FBI Director Christopher A. Wray said the most significant cybersecurity facing the country are from "the Chinese government targeting our intellectual property, Russian efforts to undermine our critical infrastructure, and increasingly sophisticated criminal cyber syndicates that seek to steal from individuals and institutions."

While the task force hasn't released details on who might have carried out the cyberattack on the plant, which supplies water to the city's 15,000 residents, it said the use of desktop-sharing software is especially worrisome with an increasing number of employees working from home due to the coronavirus pandemic.

TeamViewer is a popular desktop-sharing software used by companies to give employees who telecommute access to the company's computer system.

In this case, the plant's supervisors used the desktop-sharing software to allow them access to the computer system at the water plant.

"TeamViewer is a legitimate popular tool that has been exploited by cyberactors engaged in targeted social engineering attacks, as well as large-scale, indiscriminate phishingcampaigns," said the task force in its advisory. "Desktop-sharing software can also be used by employees with vindictive motivations against employers."

The task force noted that both corrupt insiders and outside cyber criminals use desktop-sharing software to victimize a range of organizations, including the critical infrastructure sectors.

The task force recommends that water and wastewater facilities install independent cyber-physical safety systems that physically prevent dangerous conditions from occurring if the control system is compromised by a threat.

Additionally, it advises:

• Updating to the latest version of the operating system (e.g. Windows 10).
• Using multiple-factor authentication.
• Using strong passwords to protect Remote Desktop Protocol credentials.
• Ensuring anti-virus, spam filters and firewalls are up to date, properly configured and secure.
• Auditing network configurations and isolating computer systems that cannot be updated.
• Keeping track of RDP login attempts.
• Auditing logs for all remote connection protocols and identifying unusual activities.

See related story: Hacker Raises Chemicals At FL Water Plant To Dangerous Level