The world is heading towards a dangerous crossroads in cyber security. A future in which, more and more, critical physical systems - whether machinery or utilities - have a direct impact on human life.
First Published 1st March 2021 | Latest Refresh 15th January 2023
It seems hackers are acquiring a taste for the finer things in life, like waste. Mmmm... waste.
4 min read | Reflare Research Team
The most important hack in recent times had nothing to do with government actors or advanced technology. Instead, it’s the potential physical consequences that made it stand out.
On February 5th, an unknown attacker gained access to a Florida town’s water treatment system and proceeded to instruct the system to increase the levels of lye in the water to 100 times their normal value.
In low concentrations, lye is not dangerous to humans and has many positive properties that lead to its common use in foods and household chemicals. However, in higher concentrations, its high basicity makes it both poisonous for humans and dangerous to infrastructure. Under certain conditions, high concentrations of lye can do anything from corrode to explode.
Since the levels of lye used under normal conditions cannot be determined by us at this point in time, it is hard to tell if a 100x increase would have had any of these consequences. However, it is relatively safe to assume that the attacker at least intended to cause havoc or even death through the increased lye concentration.
Interestingly, this does not appear to have been the work of a high-level saboteur or state actor. Instead, the attackers logged into “TeamViewer” - a software commonly used to remotely connect to computer systems. As the Covid-19 pandemic took off, it was often hastily installed on systems to allow users to work remotely. Worse yet, often the free “personal” version of TeamViewer was installed since it does not require any licensing or fees. In addition to breaching the terms of service, this also greatly increases risk, since the personal version lacks many of the features required for secure authentication of multiple users.
At this point in time, no new vulnerability in TeamViewer has been revealed. This leaves us with two main possibilities:
1. A user’s password was stolen or taken from a leak and then abused by 3rd party attackers to log in
2. A current or former employee accessed the system to perform what’s known as an “insider attack”
Both scenarios are disturbing in their own right.
The thought that infrastructure of vital importance is sometimes protected by shared, reused, or trivial passwords imply that attacking such systems is not the exclusive domain of well-funded state actors. Low-level criminals or hacktivists could easily look up leaked passwords or even bribe employees.
And while this time around the change was immediately noticed and reversed, the same can not be guaranteed for future cases. The question is not if, but when we will see the first death from the direct consequences of a critical infrastructure cyber attack. Most likely this attack will not come from a highly advanced adversary exploiting a highly technical vulnerability. Instead, human fatalities from such a cyber attack will be attributed to sloppy policy or weak passwords.
Now, it's completely reasonable to expect that lessons from this breach would be learned by those who manage critical infrastructure. However, barely six months later, the United States Cybersecurity and Infrastructure Security Agency (CISA) reported a series of newer, unrelated ransomware incidents on water and wastewater facilities in California, Nevada and Maine.
In a number of these cases, hackers had managed to paralyse the specialized supervisory control and data acquisition (SCADA) devices that issue commands to mechanical equipment. The high societal dependency on these systems combined with the relatively low cybersecurity resilience in many pieces of critical infrastructure makes for very attractive targets. Although water plants are firmly being targeted at the moment, we are now also seeing these styles of attacks going after a wider range of critical infrastructure. Things are more likely to get worse before they get better.
The only way to protect against such scenarios is to make sure that all staff members are well aware of the risks and well trained to detect and prevent them. As a real-life example from one particular organization, you can buy the best firewall in the world, but if your staff are setting up TeamViewer with the password “12345678”, you might be in for a difficult time.