Imagine having an emergency, calling 911, and being told that they cannot dispatch someone to you because their systems were taken over by a hacker. Or in a worse scenario, a passenger train is moving at a high speed but is not aware of the slow moving freight train ahead because the Automatic Block Signaling system was turned off by criminals.
911 systems and centralized railroad traffic control are both examples of critical infrastructure.
Every city in the world has critical infrastructure to safeguard for commercial, industrial, and communal interests. Recent events have highlighted just how important managing the discovery, localization, and prioritization of risk to infrastructure continuity can be to the public.
"Critical infrastructure" is broad and encompasses many different utility and service based systems. Many states have their own legislative definitions but at a federal level the Department of Homeland Security defines critical infrastructure to include: any entity involved in the manufacture of critical goods or chemicals, commercial facilities, communications, dams, emergency services, governmental facilities, information technology in general, energy generation, transportation systems, and water systems inclusive of both waste and supply considerations.
Disruption to any of these systems can have serious implications in the health and safety of the people who depend upon them. Disruption can come from many causes including natural disasters, failure of technology, or even from malicious threat actors intent on doing harm.
This was the case of Oldsmar, a small city in Pinellas County, Florida. In February 2021, a hacker gained entry to their water treatment system and tried to increase levels of sodium hydroxide (known better as lye), to more than 100 times the normal level in the city's water supply. This action put thousands of people at risk of being poisoned.
According to written accounts, it seems that pure luck resulted in an unsuccessful attack. An operator at the water treatment plant noticed the intrusion and watched the attacker access the system remotely and change the sodium hydroxide level. The operator was able to reduce the level back to normal before there was any serious impact to the water supply. Had the operator not been at that place at that time, the outcome may have been different.
The Cause
While details of who committed the breach have not been released, we do know how the hackers gained access to the Oldsmar water system. It is reported that Oldsmar had at least three factors involved in the breach of their network
TeamViewer - Oldsmar used this popular remote control software to enable their employees to work remotely. While TeamViewer was confirmed as the attack vector, there was nothing specific about the application that the hackers exploited.
Shared passwords - Oldsmar was reportedly sharing the same TeamViewer credentials among multiple employees, suggesting poor security hygiene in conflict of security best practices for accountability and audit purposes respectively.
Microsoft Windows 7 - Oldsmar was using obsolete Microsoft® Windows® 7 on its network. This operating system was first introduced in 2009, and reached “end of life” status in January of 2020. When software reaches EOL, the vendor no longer provides security updates or fixes.
What is at Risk?
Critical infrastructure is not limited to government entities, however. Virtually every business and service organization has critical systems that are the backbone of their operations. Any disruption could have disastrous consequences that at best cost huge sums to remediate, and at worst, put lives at risk.
While your organization may not be responsible for critical infrastructure such as the City of Oldsmar, you do have assets and data that need protection. Here are some examples that come to mind:
- Hospitals and medical centers - patient records and systems
- Banks and financial institutions - customer financial records
- Schools - student records and test scores
- Retail - inventory data
- Logistics companies - shipping, receiving, and tracking
- Museums and cultural organizations - inventory and art valuations
Virtually every large financial institution and healthcare system have put into place extensive security systems and risk mitigation policies and procedures. But there are millions of businesses, organizations, and municipalities that may not have the resources of a large enterprise.
Hackers have figured out that smaller organizations and smaller municipalities have not put the money into protecting themselves. Many don’t even employ basic protection such as cloud based backups to existing systems, or even an effective password policy. Some of these organizations may use older systems that are unsupported, with outdated software for which no updates are available. Or they lack a security infrastructure including automated patch and endpoint management.
Compounding the issue is the sheer volume of malicious threat actors that are out to do harm. These include everything from organized crime syndicates, state sponsored terrorists, young hackers looking for some digital adventure, and ex-intelligence operatives seeking to steal technology and intellectual property.
How to Prevent Your own “Oldsmar Type” Attack
Effective cyber-hygiene does not necessarily need to be expensive nor complicated. Just as basic home security starts with locking windows and doors, you can take common sense preventative measures to reduce your risk of being a cyber-victim through risk prioritization.
Follow these cyber-hygiene guidelines to help prevent your organization from becoming the next Oldsmar:
- Prioritize updates by severity and environmental exposure as they become available
- Limit account permissions in accordance to principle of least privilege
- Upgrade to the latest version of your operating system
- Remove software that has reached end of life status, and migrate away from obsolete operating systems that are no longer supported
- Leverage multi-factor authentication for software access
- Eliminate “shared user” accounts
- Set password policies for accounts and audit unused accounts regularly
- Ensure that anti-virus software, spam filters and firewalls are up to date and properly configured
- Isolate any necessary computer systems that cannot be updated
- Track and audit remote desktop login attempts
- Ensure that audit logs are enabled for all remote connections and identifying any unusual activities
- Backup all critical systems and data to an offsite location
Some of these steps are not complicated nor expensive and can go a long way toward improving your security posture. For example, you can find examples of an effective password policy online in a few minutes.
There are many organizations like the City of Oldsmar still using Microsoft Windows 7. As mentioned previously, Microsoft Windows 7 reached “end of life” status in January of 2020. That means Microsoft is no longer providing technical support, software updates, or security updates or fixes. Purchasing new systems with the latest operating system is not necessarily expensive, and will help protect your organization while making them more productive.
About Automox Automated Patch Management
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, macOS, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.
