EXECUTIVE SUMMARY:
“If you could imagine a community center run by two old guys who are plumbers, that’s your average water treatment plant,” said an anonymous cyber security consultant.
On January 15th, a cyber criminal attempted to poison a water treatment facility that serves the San Francisco Bay Area. The individual responsible for the incident has since been identified by law enforcement.
This incident had not been previously reported, and is likely one of many unreported cyber attacks within the US. This Bay Area water utility attack closely followed the Oldsmar, Florida attack, which had been publicly reported several weeks earlier.
“…of all the country’s critical infrastructure, water might be the most vulnerable to hackers…” reports NBC News.
Water treatment plant access
The cyber criminal leveraged a username and password belonging to a former employee’s TeamViewer account. As you may know, TeamViewer can enable IT support to remotely access distributed computers or infrastructure systems.
After breaking a virtual entry, the cyber criminal erased programs used by the water treatment plant to manage drinking water. Water treatment facility employees did not discover the attack until the following day. At this point, administrators replaced older passwords and reinstalled programs.
“No failures were reported as a result of this incident, and no individuals in the city reported illness from water-related failures,” stated the water treatment plant. Utility operators did not specify which water treatment facility had been breached, and which city may have been affected.
Parallels with Oldsmar
As noted previously, the attack on the Oldsmar water treatment facility took place several weeks ahead of this attack. Both incidents involved the use of illicit access to a TeamViewer account. The former incident made headlines internationally.
“…[water treatment plants] are the hardest in which to guarantee everyone follows basic cybersecurity steps, and the easiest in which to cause major, real-world harm to large numbers of people,” reports NBC News.
Security of water facilities
Although the fact that the US water system is not centralized means that there’s less chance of a widespread hack, it also implies that there will not be a single, standardized solution for securing water treatment plants.
As of the present writing, authorities do not have information about how the cyber criminal in the Bay Area incident obtained TeamViewer account credentials.
Experts can reasonably hypothesize that the hacker or hackers involved may have purchased them from a dark web forum. Kent Backman, a cyber security researcher, states that at least 11 Oldsmar employees were unwitting victims of data theft, and their data has been traded on the dark web.
Mass poisoning
Without a shadow of a doubt, the prospect of mass poisoning is terrifying—and it has not happened. However, as NBC reports, attacks on water systems actually haven’t been limited to Florida and the San Francisco Bay Area.
- Hackers recently tripped a water warning system in the state of Pennsylvania.
- In another previously unreported incident, last summer a Southern California water district experienced a ransomware attack.
The time for water treatment facilities to take action was yesterday. The next best time to take action is now.
Get more information about protecting industrial control systems, here. For more on this story, visit NBC News.
