Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.
Advertisement
Advertisement
Sistrunk cautioned against blaming the victim, as "water utilities are struggling enough with aging infrastructure and clogged pipes as it is." He also pointed to a series of best practices published by the Water Information Sharing and Analysis Center (WaterISAC), a trade group that works with the U.S. Environmental Protection Agency, which explain a series of fundamental cybersecurity best practices that should be adopted inside critical infrastructure. "Is it normal/OK to use TeamViewer...? Yes it is normal. No it is not OK," Miller told Motherboard in an online chat. "Many of us in the industry have memes for when we find TeamViewer…""This is an education or attitude problem. Allowing weak controls on remote access to critical systems is the issue," Miller added. "Someone either chose to do this for convenience with knowledge of the risks or they were ignorant of the risk and thought it wouldn’t be found (or that it was secure enough in this configuration)." There's still a lot we don't know about the hack of the City of Oldsmar's water treatment system, and the details of how the hacker took control will be the key in knowing how much the water utility was responsible for not securing its systems. Either way, the good news is that the water utility caught the intrusion, which wasn't as subtle as it could have been. And it's unlikely an attack like this would have worked against other utilities either, according to experts. "Even though the hacker knew enough to manipulate a dangerous chemical, this intrusion still feels a bit ham fisted," Carhart said. "In most environments the change would have been caught fairly rapidly." Moreover, it's actually unlikely that the hacker could have really caused widespread harm. Most water systems have physical limits on how much of a certain chemical can be pumped into the process, according to Miller. "It’s an actual physical size restriction." Miller said. "Meaning you just can’t physically move that much chemical through the system that fast. So, even if the [Programmable Logic Controller] accepted some crazy value like 1000ppm when it was expecting 10ppm (which is still unlikely), you couldn’t make that happen quickly because the physical equipment isn’t capable of doing it." Subscribe to our cybersecurity podcast CYBER, here.Do you know more about this hack? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com