One of the worst fears of humanity came true last week. Ever since cyberattacks started increasing in variety affecting organizations of all types and sizes, it was feared that cybercriminals would one day target the public infrastructure and attempt to sabotage the utility services. The cyberattack on the control systems at a water treatment plant in Oldsmar, Florida, has come as a rude shock.
On Feb 5, a hacker remotely accessed a computer (hosting water treatment control system) being used by an operator at the Oldsmar city water treatment plant. The hacker had remote access for about 2-3 minutes, during which he raised the levels of sodium hydroxide in the water from about 100 parts per million to 11,100 parts per million. However, the vigilant operator noticed it and promptly reverted the settings, thus averting a disaster. Apparently, the hacker had gained unauthorized access to the water treatment control system through the TeamViewer application used by the plant’s operators.
Though the FBI and other enforcement agencies are conducting an investigation and exact information about the cause of the incident is yet to be ascertained, security researchers, quoting various authorities and sources, have opined that lax security practices have caused this attack. Specifically, they allege that:
Whatever be the actual cause, the fundamental issue boils down to unauthorized remote privileged access to a critical system.
We witness a variety of attacks day in and day out and see hackers adopting innovative tactics. No doubt, the threat landscape is continuously (and rapidly) evolving. However, we do see a repetitive pattern in the attacks. The involvement of stolen credentials and misuse of administrative access are increasingly reported in many attacks. The attack on the control systems of Oldsmar city water treatment too seems to be falling under this attack pattern.
Cybercriminals are always on the lookout for administrative credentials. Many times, attackers don’t actually hack into networks; they simply royally walk-in using stolen, weak, or compromised credentials freely available on the dark web. They follow a few other simple techniques such as phishing emails to deliver malware and gain a foothold on machines. Known vulnerabilities that remain unpatched make their job easy. They then proceed to capture administrative credentials from hashes or through keystroke loggers and move across the network and finally perpetrate the attack by exploiting privileged access.
Combating cyber-attacks certainly requires a multi-pronged strategy. Many organizations concentrate on deploying sophisticated and advanced security arsenal but lose sight of the fundamental measures. If there are holes in the foundational elements, it becomes a cakewalk for hackers to grab the low hanging fruits.
Some of the most neglected security fundamentals include:
Lack of these measures has led to some of the worst data breaches in recent times. Of these, poor password hygiene is perhaps the most notorious factor.
Reusing the same passwords across multiple resources is a recipe for disaster. Yet, this practice goes unchecked in many organizations. It is quite common to see the same passwords assigned to multiple IT assets; developers reusing passwords across their personal and work accounts; passwords on spreadsheets circulated across departments; a departing IT staff exiting with a copy of all the credentials, and similar practices.
When developers reuse passwords, a compromise of one of their personal accounts gives hackers easy access to corporate data. Uncontrolled or unmonitored access often leads to exploitation by malicious insiders. Weak security practices and vulnerabilities in the supply chain lead to breaches upstream.
When IT divisions enforce certain practices, end users come up with exemption requests or find ways to circumvent the process. Citing work priorities, users raise requests for relaxation when passwords are to be changed, when MFA takes force, when maintenance is due, when a monitoring system needs to be deployed, or when a scan is to be done.
The Florida water plant hack underscores the importance of basic security measures. Strict adherence to basic security principles could have probably helped avert this incident.
Not all security incidents can be prevented - there is absolutely no magic wand or a silver bullet available yet. But by concentrating on the basics, IT departments can undoubtedly prevent a good number of attacks.
This is a wake-up call. IT divisions should review the measures in place to ensure security basics like checking ‘who’ has access to ‘what’; monitoring the systems exposed to the internet; keeping the infrastructure in top shape with timely patching and updates; controlling access to sensitive systems; ensuring that security controls are not relaxed or bypassed; and adopting password hygiene. This may sound too obvious but in reality, much neglected.
Florida Water Treatment Plant Hack: A Wake-Up Call to Strengthen Basic Security Measures, Password Hygiene
One of the worst fears of humanity came true last week. Ever since cyberattacks started increasing in variety affecting organizations...
Feb 13 · 4 min read
Remote work, pirated software, and local admin rights: A deadly cocktail
Endpoints are increasingly becoming an entry point for malware. It has been a common practice to grant local admin privileges to the end users on their ...
Dec 08 · 3 min read
Securden vs. Competitors: A Story of Point-and-Click Simplicity vs. Complex, Illusory Superiority
The story of how a large government agency eliminated admin privileges on endpoints and implemented on-demand application elevation using ...
Oct 29 · 3 min read
Passwords and their management: A tale of two decades
Last week, I came across an interesting research on cybersecurity practices during the past decade (2010-20) by Jean-Christophe Gaillard, a UK-based cybersecurity strategist...
Oct 09 · 4 min read
Windows Server Privilege Escalation: Security Issues and Best Practices
One of the most difficult aspects of security in a Windows environment is keeping visibility to and control over Windows privileges. This post analyzes Windows Server...
Brandon Lee · Senior Writer
Aug 24 · 4 min read
A hacker’s prescription to prevent ransomware attacks
Perpetrators of CWT ransomware attack recommend password rotation, admin rights removal, and application control as tips to prevent attacks...
Aug 03 · 5 min read
Application Password Managment Using APIs
There is arguably not a more important topic in the technology world today than security. Security can no longer be an afterthought for organizations serious...
Brandon Lee · Senior Writer
July 15 · 5 min read