By Dr. Wesley McGrew, Senior Cyber Fellow; firstname.lastname@example.org
On February 5th, an intrusion was detected at a water treatment plant in Oldsmar, Florida. A plant operator observed an unknown attacker gaining control over their mouse and keyboard. The attacker attempted to increase the level of sodium hydroxide in the water supply by orders of magnitude. At high levels, this increase would be harmful to the population, but the change was reverted immediately by the local operator. Officials stated that automated safeguards would have triggered an alarm if PH levels approached unsafe levels. What problems does this incident illustrate? What lessons are there to be learned?
The plant used TeamViewer, a popular remote desktop access service and software solution, to share access to the Human Machine Interface (HMI) of the plant. An HMI is a user interface for a physical process—a graphical representation of the water treatment plant, in this case. Where there were once panels of physical gauges, lights, and switches, you are now more likely to find LCD panels controlled by touch or mouse and keyboard. An HMI often runs on a traditional desktop operating system, like Windows, on commodity hardware. While HMI systems allow operators to be more efficient in managing physical processes, that efficiency is obtained through complexity. Without properly managing and mitigating the risks, complexity is the enemy of security.
An HMI interacts with Supervisory Control and Data Acquisition (SCADA) systems. Here, the key concept is “Supervisory Control”. In this specific process, the amount of sodium hydroxide in the water supply is maintained by end-point programmable logic controllers (PLC) that represent the boundary between cyber and physical control. Sensors read the concentration levels, and the PLCs use those sensor measurements to control the amount of sodium hydroxide being introduced. The HMI allows operators to “supervise” this process by displaying current sensor measurements alongside a “set point”—the target concentration. Operators do not, as part of their normal routine, have direct control over the relays and physical elements of the process. Instead, they can change the set point that the PLCs use (as a target concentration, in this case).
To attack a physical process that is part of critical infrastructure, one option is to exploit the PLCs and the protocols that they speak. While there is plenty of attack surface there, it is not the easiest or most straightforward avenue of attack. Targeting the HMI gives the attacker the ability to have the same high-level view as operators. In this case, the attacker simply changed set points in the same way as an operator would. More advanced attackers might exploit vulnerabilities in HMI products to cause the HMI to “lie” to the operators about set points and sensor measurements while transmitting different set points to the end-point PLCs. A decade ago, my Ph.D. research identified and classified these HMI vulnerabilities – there was no shortage of them then. Our experiences in vulnerability analysis of SCADA networks over the subsequent years and a quick look at the Common Vulnerabilities and Exposures (CVE) database have indicated that this situation has not changed much.
Off-the-shelf remote access solutions such as TeamViewer, VNC, and similar are meant for remote support of traditional IT systems. They are often part of “shadow IT”— measures put in place by end users for convenience as workarounds to restrictions put in place by policy, procedure, or network architecture. These remote access solutions often place critical data and systems a single weak or leaked password away from an attacker’s fingertips. While it is not clear how an attacker gained access to the water treatment plant in this incident, it is likely a compromise of the password. The password may have been shared among users, and therefore, recorded in someone’s email or documents accessed as part of another breach of security. It may have been the same password that a user had set for a completely unrelated web site or service that was breached. It may have simply been easily guessed.
Attribution of an attack becomes easier when you can establish a level of skill required to carry out an attack. Unfortunately, in this case, there is no lower bound on sophistication needed to manipulate this water treatment plant’s processes. Password reuse and guessing attacks are trivial, and no specific SCADA or HMI experience is required to explore control panel interfaces and change values. It is tempting to ascribe a motive to cause harm to the action of increasing sodium hydroxide concentration; however (and given the wide range of skill levels that could have reached that point), it is more likely the attacker had no real understanding of what they were doing (or targeting) and merely wanted to see if they could change the numbers. This may have simply been one remote desktop in a series explored by the attacker that day as part of a campaign of identifying and establishing a foothold into the networks of future ransomware victims.
Stakeholders in critical infrastructure need to take steps to raise the bar for secure access to their control systems. Here are a few actionable recommendations:
Elements of critical infrastructure should be compelled to implement security measures and testing, due to our reliance on their secure and safe operation. Increasing security and audit log collection will prevent attacks of opportunity and improve the ability to investigate and attribute more sophisticated attacks.