Guest post from the ICS cyber security blog:
More ICS security incidents: cyber attack on a small Florida town’s water system
Wednesday, February 20, 2018:
13 February 2021 – icscybersec
A Florida cybercrime attack has hit a Florida water utility in a recent incident, while ransomware attacks have also hit packaging materials company WestRock and freight forwarder Forward Air Corporation.
Unfortunately, I haven’t had enough time to blog in the last few days, but the ICS security incident at the waterworks in the small town of Oldsmar, Florida, is something that cannot be ignored (especially since it was reported relatively quickly on some Hungarian news sites). These articles have covered the events quite well, so I would rather look at what the details of this attack are as they are known at the moment.
- While the incident itself is serious (the attacker increased the amount of sodium hydroxide added to the water supply by more than a hundredfold with the privilege of gaining access to the water utility’s ICS systems), the details we have so far suggest that the cyber attack was neither sophisticated nor complex. The attacker (or attackers), according to the information available, accessed the water utility’s ICS systems through a TeamViewer application used for remote access by supervisors (engineers) at the water utility, and multiple users used a single password for TeamViewer.
Moreover, TeamViewer was installed on a computer running Windows 7 (as even the Hungarian articles point out, Windows 7 has not been supported by the manufacturer for more than a year, but this does not bother most industrial organisations, especially since they still used more computers running Windows XP for process control than Windows 7).
- If the previous wasn’t deterrent enough, an added bonus is that Windows 7 running TeamViewer was not disconnected from the Internet even with a firewall.
- It is a tidbit for those interested in OSINT that information about the HMI used at the waterworks concerned and its configuration is easily freely available. (Edit: In the meantime, the image has been removed from mckimcreed.com, but the point is that it was out there. The specific image is still available in Google Cache, by the way… That’s why you have to be careful about the information you share.)
So this incident is (again, I stress, based on the information available at the moment) an accident of chance, which could have been set up by a novice script-kiddie.
Let’s quickly run through what are the basic measures that are recommended as a basic security rule of thumb for any organisation using ICS systems:
- ICS systems should be isolated from external and especially public networks – if nothing else, with properly configured firewalls!
- The corporate/office/office and ICS networks should also be separated and only the necessary network traffic should be allowed to the minimum extent necessary!
- Remote access should be allowed using secure methods (VPN, multi-factor authentication, etc.).
- Insist (in line with the information security principle of accountability) on the use of individual access and the principle of minimum privilege!
- control and minimise the information that is publicly released about the systems used for process control!
Obviously, these 5 points will by no means protect you from all attacks, but there is a good chance that a similar incident can be prevented by following these rules and principles.
Ransomware attacks against US industry
Back on 23 January, a ransomware attack was reportedly launched against WestRock, a US company involved in the production of packaging materials, mainly corrugated paper. In addition to their administration/office systems, the incident also affected systems used in production automation. The company is rather tight-lipped about the incident, but the fact that the incident also affected their OT systems suggests that it could be a serious incident.
According to another report, a ransomware attack occurred on the systems of Forward Air Corporation, a freight forwarder based in Tennessee, back in December last year. The incident caused at least US$ 7.5 million in damages to FAC, according to the SEC, the US Securities and Exchange Commission. While few details of the incident are known (it is not even public which ransomware is responsible), it is known that FAC has been able to restore systems to operational status.
The original guest post was published on the ICS cyber security blog.
Translated by DeepL.