The hallmarks of the Feb. 5 cyberattack against the Oldsmar, Fla., water treatment facility likely paint a picture typical of industrial control system environments where under-resourced staff pressured by mandates for availability and safety, rely on legacy software and inadequate remote access solutions to run an entity responsible for a vital public utility.
Operators inside the Oldsmar facility detected two intrusions from outside the plant on that day, the second of which involved a remote attacker, connected via TeamViewer desktop-sharing software, changing levels of sodium hydroxide in residential and commercial drinking water from 100 parts-per-million to 11,100 parts-per-million. Sodium hydroxide, or lye, is caustic; it is added to water to control acidity and remove certain metals.
The operators' quick action to cut off the attacker's access, supported by safeguards innate to water-treatment systems, kept the contaminated water from ever reaching the public. But underlying their heroism are systemic problems across critical infrastructure that are going to be compounded as more companies bring operational technology (OT) under IT and connect more of these critical systems online.
On Thursday, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) published an alert about the Oldsmar compromise, calling out some of these systemic issues, starting with the facility's use of TeamViewer—and the same shared password to access the application—as well as outdated and unsupported versions of Windows 7 to remotely manage water treatment. The Water ISAC also published an advisory.
In an environment where downtime is hardly tolerated, it's not unusual to see legacy Windows 7 machines and other outdated, unsupported software running in production. This is problematic, because in the case of Windows 7, for example, Microsoft ended support for the operating system in January 2020. Systems will no longer receive security or feature updates unless they were on an expensive Extended Security Update plan, which is priced per-device and gets costlier the longer the customer subscribes.
"Cyber actors continue to find entry points into legacy Windows operating systems and leverage Remote Desktop Protocol (RDP) exploits," CISA warned in its alert. Microsoft in 2019, for example, made an emergency patch available for a critical RDP flaw that was being exploited in the wild. "Cyber actors often use misconfigured or improperly secured RDP access controls to conduct cyberattacks," CISA added.
The use of free versions of TeamViewer and other remote desktop-sharing and support applications is also not uncommon inside these environments. The COVID-19 pandemic has only heightened the risk posed by these applications as more workforces become increasingly remote and the need for access from outside facilities to key processes becomes necessary.
TeamViewer provides administrators and operators with easy, inexpensive access to facilities, but these applications must be configured with security in mind. Even then, they're not adequate for OT networks. Unlike purpose-built secure access solutions, these applications do not adequately log user activities, provide auditing capabilities, or allow for admins to monitor—and disconnect if necessary—remote sessions in real time. They often also do not enable admins to set different user-permission levels, based on roles, for example. Once an attacker has access to the application, as in the case of Oldsmar, they can gain remote control over the control system it's connected to.
Because of how TeamViewer is configured, it allows remote connections to networks that bypass Network Address Translation (NAT) and firewalls. Endpoints that sit on two different networks can still connect, and allow anyone with the right password to connect to a machine running TeamViewer. This is in contrast to Microsoft's Remote Desktop Protocol (RDP), for example, that requires both computers to be on the same network; in these cases, usability may trump security.
CISA's alert includes a lengthy list of mitigations, including a recommendation that industrial enterprises operate on current versions of Windows, use multi-factor authentication, and strong passwords to secure remote connections. Auditing of network configurations is also recommended, as is segmenting systems that cannot be updated.
CISA also cautioned that the use of TeamViewer and other similar applications can be abused not only for remote access to critical processes, but to move laterally across a network, inject malicious code such as remote access Trojans (RATs), and to obfuscate other malicious activity.
"TeamViewer's legitimate use, however, makes anomalous activity less suspicious to end users and system administrators compared to RATs," the alert said.
In addition, organizations should deploy secure access solutions that are designed for ICS environments, ones that allow only authorized users to create sessions, and administrators to monitor and disconnect those sessions in the event of malicious activity. It's also important to have network detection software in place that provides visibility into assets running on an OT network, including out-of-date OSes and software, and also any CVEs associated with those products, allowing administrators to take action.
CWE-345: INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY
A feature in the affected products enables users to prepare a project file with an embedded VBA script and can be configured to run once the project file has been opened without user intervention. This feature can be abused to trick a legitimate user into executing malicious code upon opening an infected RSP/RSS project file. If exploited, a threat actor may be able to perform a remote code execution.
CVSS v3: 7.7
CWE-770: Allocation of Resources Without Limits or Throttling
When performing an online tag generation to devices which communicate using the ControlLogix protocol, a machine-in-the-middle, or a device that is not configured correctly, could deliver a response leading to unrestricted or unregulated resource allocation. This could cause a denial-of-service condition and crash the Kepware application. By default, these functions are turned off, yet they remain accessible for users who recognize and require their advantages.
PTC recommends users take a defense-in-depth stance with regards to their manufacturing networks ensuring proper access control is maintained. Additionally, proper adherence to the Kepware Secure Deployment Guide will minimize this threat through accurate configuration and use of the product.
CVSS v3: 5.3
CWE-732: Overriding critical files
The vulnerability, if exploited, could allow a miscreant to read and write an AVEVA Reports for Operations project and/or tamper with installation files
CVSS v3: 7.8
CWE-22: Path Traversal leading to Arbitrary Code Execution
The vulnerability, if exploited, could allow a miscreant to execute arbitrary code under the privileges of an interactive AVEVA Reports for Operations user.
CVSS v3: 7.8
CWE-420: Unprotected Alternate Channel
A vulnerability exists in the affected products that allows a threat actor to bypass certain communications restrictions between slots in a 1756 chassis. If exploited on any affected module in a 1756 chassis, a threat actor could potentially execute CIP programming and configuration commands on a Logix controller in the chassis.
CVSS v3: 8.4