Similar to the Oldsmar water treatment attack in Florida, the threat actor used legitimate credentials to break into remote access tool TeamViewer. After logging in, they deleted programs that the plant used to treat drinking water.
NBC News first reported Thursday that the unidentified criminal used a former plant employee’s username and password to gain entry to the unidentified Bay Area water treatment facility on Jan. 15. Michael Sena, executive director of the Northern California Regional Intelligence Center, confirmed NBC’s report about the security breach, but declined to say where it occurred or who carried it out.
Bill O’Neill, VP, public sector, ThycoticCentrify, explains, “The consequences of a data breach can vary greatly depending on the intention of the adversary. Some hackers simply aim to cause disruption. Others extract valuable PII to sell on the Dark Web, while others look to extort money due to ransomware. When a cyberattack is attempted against critical infrastructures such as hospitals, electrical grids, or water systems, the potential repercussions can affect thousands of individuals like you and me. It can be devastating — or even deadly. In fact, the 2020 Global State of Industrial Cybersecurity report found that 74% of IT security professionals are more concerned about a cyberattack on critical infrastructure than an enterprise data breach.”
The Bay Area attack was followed by a similar one in Oldsmar, Fla., a few weeks later, where cybercriminals gained access to a TeamViewer account and raised the levels of lye in the drinking water to poisonous levels. An employee quickly caught the computer’s mouse moving on its own, and undid the hacker’s changes.
“The Oldsmar water treatment plant incident and the newly uncovered Bay Area water supply attack should serve as urgent reminders to organizations about taking precautionary steps before a cyberattack occurs,” O’Neill says. “To help lock down critical systems, we suggest enforcing least privilege and adopting what is referred to as a “Zero Trust” approach. This means trusting no one until they have been adequately verified and validated, re-establishing trust. Through self-service workflows, admins can request elevated privileges just-in-time for a limited time. This approach of verifying who is requesting access, the context of the request, and the access environment’s risk combine to mitigate the risk of a breach.”
Sam Humphries, security strategist at Exabeam, says, “Critical national infrastructure (CNI) is at the top of the target list for adversaries, given the impact if successful – even in part. The need to understand and baseline normal in terms of critical asset/system access is absolutely key in protecting critical infrastructure. Regardless of whether systems in operational technology (OT) environments are air-gapped or not, if there’s a digital route to the system, then it’s at risk. We’ve got to ensure we’re monitoring OT systems far more diligently by capturing all viable log data in terms of access control, system settings and maintenance. Any abnormality – regardless of how small – should be investigated, triaged and managed accordingly. Relying on users alone for the protection of our CNI systems does not (and will not) scale.”
Humphries adds, “Working smarter with automation technologies in managing large volumes of data streams, analyzing them for anomalies and reporting risk in real time, is the only way forward for CNI protection. This, in partnership with continued user education in being diligent and applying critical thinking analysis to system activity reports, is critical.”