Compromised: Lack of Security Makes our Infrastructure Vulnerable
​As the investigation continues into the breach of the computer system for the Bruce T. Haddock Water Treatment Plant in Oldsmar, Florida on February 5th.  What is becoming clearer is that this hack was due to several different failures in security that led to the site to be compromised by attackers.  While the damage was little, it could have been a lot worse.

Security Failures

While this investigation into the breach of security is still ongoing at the time of this blog post, the common theme is that the facility was using older equipment with lax security protocols.  These issues were compounded by the other and helped to provide a path for an attacker to take advantage of these vulnerabilities.  Additionally, remote management software could connect to these systems without being blocked.

Here is the list on known security failures as of this post:

  • Old Windows 7 OS used on critical systems
  • No security patches or updates for over 1 year
  • TeamViewer software allowed to connect to network
  • Weak password management policy

While each of these failures are not the only reason for the compromise, all of them in conjunction with one another led to what could have been a serious issue if it were not for someone watching the system and taking corrective action to return the systems to normal.

Attacker Accomplished

The FBI was called in to investigate the compromise and found that the levels of sodium hydroxide in the water treatment had been raised from 100 parts per million to 11,100 parts per million for only a few minutes.  This chemical is used to clear clogged drains and could have caused potential deaths if ingested by members of the public.

Corrective Action

Addressing the failures that have been identified by this attach should be remediated so that a similar type of attack does not occur.  But this threat has showed what IT Security Pros already know, our infrastructure is not keeping up to date with evolving technologies.  This creates vulnerabilities where it should be more secure.  Municipalities are notorious for not updating or upgrading systems or software due to not having the funds to replace or update them.

While taking corrective measures now will address these issues, this is a systemic issue that will only be solved when municipalities, and jurisdictions start taking security seriously and not putting off the much-needed upgrades and enhancements that are required to stay up to date. Microsoft for one puts out notices to the public to let them know that there is going to be an end-of-life date for its systems and applications.  Why didn’t the municipality head those warnings and transition to supported hardware and software applications?

​Remaining Threat

Due to the attention that this event is getting, it seems that these corrective actions will be taken as the city tries to deal with the fall out of it.  But the underlying fact remains that all public utilities face, a crumbling infrastructure and the management systems that are needed to keep them up and running.  This is a high visibility event, and the attention will be on the city to see how they handle these issues in the future.  

Security for Infrastructure
Here are some of my recommendations for dealing with these same issues, whether you are a small business, or a large municipality, here are some commonsense guidance that you can follow:

1.Only use supported hardware/software
This means to use only those systems and applications that are fully supported by the manufacturer and that if they are not, you replace them ASAP.  This is one of the most common mistakes organizations make, waiting to upgrade later.  Do not put it off, when it’s the end of life for a system or application, replace it.
2.Have a patch management program
With the hardware and the OS not receiving updates on a regular basis, these systems continue to increase in the amount of risk and potential vulnerabilities that they pose to the organization.  Have an established patch management program and update software and hardware systems as soon as the patches come out.  This helps to limit vulnerabilities while also ensuring that potential risks are mitigated in a timely manner.
3.Establish Strong Security Policies/ Standards
The need to establish strong policies and standards can’t be understated here.  The use of the following types of characters should be used:

  • Upper Case
  • Lower Case
  • Numbers
  • Special Characters
  • Non-dictionary Words
  • Pattern Passwords (p@$$W0rd1984!)
  • Number of Past Passwords Stored Increased

With all of these measures, access account passwords would be more complex and more difficult to potential cracks by an attacker.  While no password is 100% secure, there are steps that administrators can take to improve the security of these accounts.
4.Restrict VPN Access to Key Systems
This can be accomplished by preventing incoming connection requests from being responded to, or by securing systems behind a firewall or in a DMZ with restricted IP access points.  While there may be ways in which these steps can be overcome, those steps are made more difficult than by not having them in place.  This should be especially true to those systems such as a water purification plant or even an electric distribution center.

While nobody was killed during this attack and someone was quickly able to respond to changes within the purification process, it could have been much worse.  Like a lot of other assets that are government owned and operated, our infrastructure is prime for being targeted by those that want to do our country or our cities harm.  No matter what is found when the actual source of the attack is eventually discovered, this should be a wake-up call for all governmental organizations and jurisdictions that they can be compromised and that they need to be up to date with their security posture, just like in the private sector.

The worst thing about this attack on the purification plant is that all these security issues should have been addressed a long time ago.  Even if just upgrading and patching their systems could have helped deter a potential attack.  Some of the simplest things make the biggest difference when it comes to these sorts of events.  We can only hope that they employ a well-respected IT Security Pro to help them address these issues in the most effective and expedient manner possible.

Reference Site

Go to Source of this post
Author Of this post:

By admin