When the Oldsmar, Florida, water system was hacked in early February in a failed effort to poison its water supply, it sent chills up the spines of cybersecurity experts – as well as general consumers – nationwide. Is it this easy to infiltrate a public utility, many wondered?
The answer, in a word, is “yes.”
To take control of the Oldsmar water facility, all the hackers needed to do was login to a TeamViewer account, which allows remote users to operate the computer as if they were sitting right there. In the case of Oldsmar, the computer the hackers accessed enabled them to raise the levels of lye in the water from 100 parts per million to 11,100 parts per million; lye levels of more than 10,000 parts per million can lead to difficulty swallowing, nausea, vomiting, abdominal pain, and even damage to the gastrointestinal tract.
Fortunately, Oldsmar has security measures in place to identify unsafe chemical levels in its water and was able to stop the attack before it affected its 15,000 residents.
The Escalating Cybersecurity Risk
Experts have been warning of these kinds of breaches for years. With the work-from-home movement inspired by a global pandemic, remote access is becoming even more necessary, and the cybersecurity risks are escalating proportionately.
If you think the easy solution is to disable TeamViewer – yes, that will prevent future attacks that use TeamViewer as the access point – then know that there are even easier ways to take over a public utility in this era of portable media.
Consider the worker who now works from home three days a week and commutes to the office the other two. More than likely, this employee is moving data back and forth on a USB flash drive or external hard drive. All the hacker needs to do is target the portable media device when it is in an active state, load a malicious program onto the device, and wait for the employee to plug the device into a work computer.
It’s that easy.
Improbable, you say?
Weaponized USB Flash Drives
In January 2010, the world’s first digital weapon – Stuxnet – was launched against Iran’s Natanz nuclear facility. The weapon of choice? A USB flash drive. Stuxnet wreaked such havoc on the facility that experts estimate it took 10 years for Iran’s nuclear enrichment program to recover.
Fourteen months prior to the Stuxnet attack, in November 2008, the worst cyberattack in the history of the Department of Defense came from a USB drive found in the parking lot. A flash drive infected with a virus called “agent.btz” was inserted into a DoD computer network and quickly spread throughout the U.S. military’s classified and unclassified networks. The virus allowed network data to be transferred to other servers under the control of agent.btz’s creator.
For months, no one within the DoD knew the virus was there, what it might have sent, and to whom the information went.
We’re All at Risk
Public utilities and the government are not the only ones prone to such USB flash drive attacks. In fact, weaponized USB devices are the main source of malware for industrial control systems, said Luca Bongiorni of Bentley Systems during his talk at the 2019 Security Analyst Summit. This is true even for air-gapped systems, which is a network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network.
Not convinced that USB flash drives are really such a threat? Consider the industrial facility employee who, in November 2017, wanted to watch La La Land, so he downloaded the movie to a flash drive over lunch. So begins the story of how an air-gapped system at a nuclear plant got infected – an all-too-familiar tale of extremely avoidable critical infrastructure infection.
Yes, we need to do more to keep hackers from accessing remote systems such as TeamViewer, but we also need to do more to protect our vulnerable computer networks from being infected by portable media. The easy and affordable answer is to lock down all computer and network ports with simple but effective USB port locks, HDMI port locks, and network port locks.
If we don’t, it will only be a matter of time before the next Oldsmar is making headlines.
