The hallmarks of the Feb. 5 cyberattack against the Oldsmar, Fla., water treatment facility likely paint a picture typical of industrial control system environments where under-resourced staff pressured by mandates for availability and safety, rely on legacy software and inadequate remote access solutions to run an entity responsible for a vital public utility.
Operators inside the Oldsmar facility detected two intrusions from outside the plant on that day, the second of which involved a remote attacker, connected via TeamViewer desktop-sharing software, changing levels of sodium hydroxide in residential and commercial drinking water from 100 parts-per-million to 11,100 parts-per-million. Sodium hydroxide, or lye, is caustic; it is added to water to control acidity and remove certain metals.
The operators' quick action to cut off the attacker's access, supported by safeguards innate to water-treatment systems, kept the contaminated water from ever reaching the public. But underlying their heroism are systemic problems across critical infrastructure that are going to be compounded as more companies bring operational technology (OT) under IT and connect more of these critical systems online.
On Thursday, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) published an alert about the Oldsmar compromise, calling out some of these systemic issues, starting with the facility's use of TeamViewer—and the same shared password to access the application—as well as outdated and unsupported versions of Windows 7 to remotely manage water treatment. The Water ISAC also published an advisory.
In an environment where downtime is hardly tolerated, it's not unusual to see legacy Windows 7 machines and other outdated, unsupported software running in production. This is problematic, because in the case of Windows 7, for example, Microsoft ended support for the operating system in January 2020. Systems will no longer receive security or feature updates unless they were on an expensive Extended Security Update plan, which is priced per-device and gets costlier the longer the customer subscribes.
"Cyber actors continue to find entry points into legacy Windows operating systems and leverage Remote Desktop Protocol (RDP) exploits," CISA warned in its alert. Microsoft in 2019, for example, made an emergency patch available for a critical RDP flaw that was being exploited in the wild. "Cyber actors often use misconfigured or improperly secured RDP access controls to conduct cyberattacks," CISA added.
The use of free versions of TeamViewer and other remote desktop-sharing and support applications is also not uncommon inside these environments. The COVID-19 pandemic has only heightened the risk posed by these applications as more workforces become increasingly remote and the need for access from outside facilities to key processes becomes necessary.
TeamViewer provides administrators and operators with easy, inexpensive access to facilities, but these applications must be configured with security in mind. Even then, they're not adequate for OT networks. Unlike purpose-built secure access solutions, these applications do not adequately log user activities, provide auditing capabilities, or allow for admins to monitor—and disconnect if necessary—remote sessions in real time. They often also do not enable admins to set different user-permission levels, based on roles, for example. Once an attacker has access to the application, as in the case of Oldsmar, they can gain remote control over the control system it's connected to.
Because of how TeamViewer is configured, it allows remote connections to networks that bypass Network Address Translation (NAT) and firewalls. Endpoints that sit on two different networks can still connect, and allow anyone with the right password to connect to a machine running TeamViewer. This is in contrast to Microsoft's Remote Desktop Protocol (RDP), for example, that requires both computers to be on the same network; in these cases, usability may trump security.
CISA's alert includes a lengthy list of mitigations, including a recommendation that industrial enterprises operate on current versions of Windows, use multi-factor authentication, and strong passwords to secure remote connections. Auditing of network configurations is also recommended, as is segmenting systems that cannot be updated.
CISA also cautioned that the use of TeamViewer and other similar applications can be abused not only for remote access to critical processes, but to move laterally across a network, inject malicious code such as remote access Trojans (RATs), and to obfuscate other malicious activity.
"TeamViewer's legitimate use, however, makes anomalous activity less suspicious to end users and system administrators compared to RATs," the alert said.
In addition, organizations should deploy secure access solutions that are designed for ICS environments, ones that allow only authorized users to create sessions, and administrators to monitor and disconnect those sessions in the event of malicious activity. It's also important to have network detection software in place that provides visibility into assets running on an OT network, including out-of-date OSes and software, and also any CVEs associated with those products, allowing administrators to take action.
CWE-1390 WEAK AUTHENTICATION:
The web server for ONS-S8 - Spectra Aggregation Switch includes an incomplete authentication process, which can lead to an attacker authenticating without a password.
Optigo Networks recommends users always use a unique management VLAN for the port on the ONS-S8 that is used to connect to OneView.
Optigo Networks also recommends users implement at least one of the following additional mitigations:
Use a dedicated NIC on the BMS computer and exclusively this computer for connecting to OneView to manage your OT network configuration.
Set up a router firewall with a white list for the devices permitted to access OneView.
Connect to OneView via secure VPN.
CVSS v3: 9.1
CWE-98: IMPROPER CONTROL OF FILENAME FOR INCLUDE/REQUIRE STATEMENT IN PHP PROGRAM ('PHP REMOTE FILE INCLUSION')
The web service for ONS-S8 - Spectra Aggregation Switch includes functions which do not properly validate user input, allowing an attacker to traverse directories, bypass authentication, and execute remote code. ONS-S8 - Spectra Aggregation Switch: 1.3.7 and prior are affected.
Optigo Networks recommends users always use a unique management VLAN for the port on the ONS-S8 that is used to connect to OneView.
Optigo Networks also recommends users implement at least one of the following additional mitigations:
Use a dedicated NIC on the BMS computer and exclusively this computer for connecting to OneView to manage your OT network configuration.
Set up a router firewall with a white list for the devices permitted to access OneView.
Connect to OneView via secure VPN.
CVSS v3: 9.8
CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition:
This vulnerability occurs when an attacker exploits a race condition between the time a file is checked and the time it is used (TOCTOU). By exploiting this race condition, an attacker can write arbitrary files to the system. This could allow the attacker to execute malicious code and potentially cause file losses.
CVSS v3: 5.3
CWE-24: Path Traversal:
The vulnerability allows an attacker to craft MQTT messages that include relative path traversal sequences, enabling them to read arbitrary files on the system. This could lead to the disclosure of sensitive information, such as configuration files and JWT signing secrets.
CVSS v3: 6.5
CWE-313: CLEARTEXT STORAGE IN A FILE OR ON DISK
The configuration file stores credentials in cleartext. An attacker with local access rights can read or modify the configuration file, potentially resulting in the service being abused because of sensitive information exposure.
Moxa recommends the following to address the vulnerabilities:
CVSS v3: 5.5