The attacker remotely accessed a computer linked to the treatment facility and began increasing the amount of sodium hydroxide, or lye, in the water, according to Pinellas County Sheriff Bob Gualtieri, who spoke at a news conference Feb. 8. The attacker increased the sodium hydroxide by more than 100 times before a supervisor working remotely noticed the level of chemical being changed and stopped the attack.
The attacker accessed the plant through a software program called TeamViewer, which allows authorized personnel to access the system remotely.
The problem is that the software wasn’t designed to protect critical infrastructure and probably was of residential grade, according to Randy Watkins, chief technology officer for Managed Detection and Response at cybersecurity firm CriticalStart.
“There are a couple of things that trouble me about this,” Watkins said. “One is I don’t think this is the only water treatment facility that’s set up in this manner, and I don’t think it’s the only critical infrastructure that’s set up in this manner.”
Watkins said that this was likely a target of opportunity, meaning that someone was scanning the Internet, found TeamViewer, breached it and stumbled onto access to the treatment facility. While there, they began adding sodium hydroxide.
"TeamViewer is aware of media reports regarding an unauthorized remote access to the Oldsmar water treatment facility and we are monitoring the situation very closely,” Gus Serino, principal industrial control systems analyst for Dragos Inc., wrote in a statement to the Tampa Bay Times.
Now that attackers know that they can penetrate this type of system easily, they may start attacking more frequently and, perhaps, other critical infrastructure.
“It does not have the greatest security baked into it, especially on the consumer side, and I would venture that it was probably the consumer version,” Watkins said. “They didn’t think someone would be able to brute force their way into it just by scanning the Internet or looking at their footprint.”
Watkins said the nature of the attack — there were more deadly compounds they could have added if they wanted to really do damage — suggests that it wasn’t a national state attack, or if it was, they were just testing.
“I think more of this will happen, and I think the more likely scenario is people scanning the Internet will start looking for TeamViewer listeners and seeing what’s available,” Watkins said.
“TeamViewer is an application that’s installed on a remote computer and says, ‘I’m going to listen to my TeamViewer counterpart on the other side and when it wants to connect we can connect,”’ Watkins said.
Watkins said a common thread is that these types of facilities are underfunded when it comes to cybersecurity, and that funding sources and tax incentives need to be developed to enhance safety.
Watkins said there are enterprise-level remote administration tools that use secure protocols and lock down network traffic that could be used to more securely protect such critical infrastructure.
“This water treatment plant was small, but I’ve worked with larger ones, and the thing that comes up is they are very underfunded. So when I say this is probably a residential version of the software they installed,” Watkins explained, “it’s likely they don’t have the funding for security to install an enterprise-grade remote software system.”