Proper training, system configuration could have prevented Oldsmar hack

Last week’s breach of a computer system that controls the city of Oldsmar’s water treatment plant made national headlines and has even drawn the attention of the FBI and Secret Service. Both agencies are helping the Pinellas County Sheriff’s Office locate the perpetrator of the cyberattack, Sheriff Bob Gualtieri said on Monday.

As of Wednesday, however, additional details had been slow to emerge.

“The investigation into the software intrusion to the City of Oldsmar water treatment plant is still active and ongoing,” sheriff’s office spokeswoman Aleksandra Kowalski wrote in an email to the Catalyst. “We have no updates to provide to the public at this time.”

Bruce Beam, chief information officer at (ISC)2 in Clearwater.

If it had gone undetected, the incident, which occurred just two days before the Super Bowl being held in nearby Tampa, could have led to the poisoning of Oldsmar’s water supply. It certainly caught the attention of (ISC)², a Clearwater-based nonprofit membership association that provides cybersecurity training and certification to individuals, companies and government agencies around the world. Bruce Beam, the organization’s chief information officer, told the Catalyst that the attack was carried out in an “unsophisticated” manner, almost like the perpetrator “wanted to be detected.” The hacker breached the city’s network via TeamViewer, a widely used application that’s designed to allow a company’s IT team to remotely access an employee’s computer in order to solve technical issues. According to its website, TeamViewer has been installed on some 2.5 billion devices worldwide.

“Let’s say you can’t get your printer to work,” Beam said. “Well, my team could log in and remote into your computer, take control of your computer and basically drive the mouse around and use a keyboard to type on your computer and take over your computer completely.”

Scary stuff to think about, right? Beam said TeamViewer and other remote-access tools are relatively easy to secure, but organizations sometimes fail to do so. “Maybe someone’s sharing passwords,” he said. “Maybe they don’t have multi-factor authentication enabled … there’s an array of things that can let [hackers] in.”

(ISC)², Beam said, doesn’t use TeamViewer but if it did, it would activate the setting that requires users to actively accept a request for remote access. In the Oldsmar case, Beam said, that probably didn’t happen. “They probably had it misconfigured because you can set TeamViewer to auto accept.”

Another major takeaway from the Oldsmar incident, Beam said, is the need for what he calls “cyber hygiene” — evaluating what you really need to expose to the Internet.

“The biggest question my security team and I are bouncing around is: Why is this open to the Internet in the first place?” he said. “I think that’s where sometimes companies overlook the trees for the forest.”

Beam questioned whether Oldsmar’s water treatment plant needed to have the ability to be accessed remotely “because there was obviously an operator sitting there monitoring it.” He added, “It could’ve just been a closed network. I would say that someone hasn’t looked at the adequate risk profile for this particular organization.”

Gualtieri, at his press conference on Monday, echoed Beam’s concerns and called for other organizations to take heed.

“Because of this security breach,” he said, “we are asking that all government entities within the Tampa Bay area with critical infrastructure components actively review their computer security protocols and make any necessary updates that are consistent with the most up-to-date practices.”