Water treatment cyberattack updates
Posted February 10, 2021
- The FBI has released an advisory on the Oldsmar water treatment facility incident. In an advisory (shared on Twitter by POLITICO’s Eric Geller) the Bureau said the attack “likely” exploited an old Windows 7 operating system and weak password security as they (or he, or she) gained access to the TeamViewer software in use at the facility.
- The Miami Herald says that other regional water utilities have assured them that they have safeguards in place that would have prevented the sort of incident Oldsmar sustained.
- Who did it remains an open question.
- The FBI’s recommendations for securing infrastructure are:
- “Use multiple factor authentication;
- “Use strong passwords to protect Remote Desktop Protocol (RDP) connections;
- “Ensure anti-virus, spam filters, and firewalls are up to date, properly configured, and secure;
- “Audit network configurations and isolate computer systems that cannot be updated;
- “Audit your network for systems using RDP, closing unused RDP ports; applying two-factor authentication wherever possible, and logging RDP login attempts;
- “Audit logs for all remote connection protocol;
- “Train users to identify and report attempts at social engineering;
- “Identify and suspend access of users exhibiting unusual activity;
- “Keep software updated.”
- Dragos had published a quick set of recommendations useful in securing any industrial environment:
- “Manually identify software installed on hosts, particularly those critical to the industrial environment such as operator workstations- such as TeamViewer or VNC. Accessing this on a host-by-host basis may not be practical but it is comprehensive.
- “Beyond host data, there are a variety of network traffic sources to help identify TeamViewer. Most environments are not configured where centralized logging is occurring and can be a manual process. We recommend:
- “Use DNS logging to identify outbound DNS resolution to *.teamviewer.com
- “Encrypted communications to teamviewer.com will have a X509 certificate for *.teamviewer.com
- “Use perimeter logging or other network logging to identify external communications via TCP/5938 and UDP/5938.
- “Talk to the operations staff or IT staff at the site to determine if other remote software tools such as virtual private networks are used. If so, perform searches for those tools and where possible utilize multi-factor authentication on remote connections.
- “From a prevention perspective, blocking these communications, and all egress communications that are not explicitly approved, will prevent remote access solutions like TeamViewer. However, ensure that you talk with plant personnel before doing this and after blocking any connections be available to reverse the changes if something was necessary that they did not know about.”
| February 10, 2021