BREAKING NEWS: Hackers Tried to Poison Water Supply of Florida Town

TOM: Let’s start the webinar. This is our Deeper Dive series. We do these every Tuesday at 2 p.m. Central Time, and we normally take topics that are current events, or in this case, your biggest threat, everyone’s biggest threat, on the webinar. Sometimes we go into more detail on the main webinars that many of you have attended. But today, we have breaking news.

Last night – well, all night – I had emails, text messages from people I haven’t spoken to in weeks or months about this breach in Pinellas County, Florida. In case you don’t know where that is, that’s in the Tampa region. Oldsmar is just east of Clearwater Beach and right on the very north tip of the bay. I spend a lot of time there, and I can’t wait to get to where travel is normal again and I can spend a lot more time in the St. Pete / Tampa region. And of course, that’s where the Super Bowl was Sunday.

But this particular breach was an attack on the water treatment system, or the industrial control systems that regulate the chemicals and things like that that go into the water to make it safe to drink. What the attacker did was he used their remote access software, which is a very common piece of remote access software called TeamViewer. You may use something called LogMeIn or GoToMyPC, or you might even use Windows Remote Desktop Protocol (RDP) or Terminal Services. Anyway, these are all remote access software.

In this particular case, it appears anybody could remote into this one particular PC, or maybe they have more than one, but this particular one, a supervisor – who was also remoted in – noticed something unusual about 8:00 in the morning, Eastern. He didn’t think much about it because he thought maybe another supervisor or another water utility employee was also using the system. Already, there’s some security protocols not being followed. You should never share credentials. You should always have logs and specify exactly who is in a particular system, and administrative controls and things wrapped around all of those things.

He just happened to be logged in at about 1:30 in the afternoon and he saw the mouse moving around, and then the lye, or the sodium hydroxide level was increased to the drinking water, to be delivered to the residents of this 15,000-population town, by a hundredfold. Not only is that really, really unhealthy, but it could’ve caused catastrophic damage to the pipes because lye is very caustic. It’s like flashbacks from Flint, Michigan, with their water quality problem that caused the pipes to corrode and things like that. Flint is a much larger town, but even 15,000 customers – even five is not inconsequential.

Right now, as of the last time I looked into this, they don’t know who the threat actor is. My speculation is that this is probably a not very sophisticated or very experienced threat actor. Might even be in the United States. Maybe not. The reason is this: I know where to go on the white web, the good web, the part we all use each and every single day and run a utility, and it shows me all of the services under whatever range of IPs I want to select. I can quickly see if it’s protected by any sort of security, and if it’s not, I access it. It’s that simple. A mouse click away.

This type of attack really doesn’t lend itself to a nation-state, although it’s certainly not out of the realm of possibility. It just wasn’t that sophisticated. It would be beneath them, almost. That’s the way I think it’s going to play out, and if that’s the case, they’ll probably never announce it because they’re not the only one that’s not secure with remote access.

We traded our souls for security, traded convenience for security, especially in the COVID-19 days. But how did we get here? How come there are thousands and thousands and thousands of remote access computers out there that are not secure?

Nicole Perlroth is a very, very well-known writer for New York Times, and she is an expert on worldwide cybersecurity threats. I thought you guys might want to watch this video.

Nicole Perlorth: We keep seeing the capabilities keep getting better and better, and we keep seeing more and more adversaries probing at our critical infrastructure. There were more attacks on American critical infrastructure in the second half of last year than we’ve seen in the previous two years combined. So the threat is getting more frequent. Here’s the bigger thought, though: the United States still is the world’s top cyber superpower. We have the best offensive capabilities when it comes to cyberattacks. There’s a reason why you keep seeing me report on Russian attacks and Iranian attacks and Chinese attacks. It’s not because I’m ignoring what the NSA or Cyber Command does. It’s just that their attacks are much more difficult to detect because they’re better and more sophisticated and more stealthy.

The problem is that over the last 10 years, the United States’ lead in this area has been slipping. We are now the most targeted, if not maybe among the most targeted countries in the world by hackers. And we are also the most vulnerable because we’re so digitized. We’ve made this decision as a society a long time ago that we wanted as much convenience and access as possible. First it was Uber, and then we developed the Uber of this and the Uber of that. We wanted to control our whole lives via remote control.

And that’s also true for our critical infrastructure. We wanted to make it possible for software engineers to be able to measure the temperature and the pressure and the chemical levels at our water treatment facilities from afar. But that same access makes us more vulnerable than most other nation-states out there. So we have a big problem here when it comes to defense.

TOM: She knows what she’s talking about. She’s been in the cybersecurity reporting world for several years, and coincidentally, her latest book was released today. I did buy a copy of it because I can’t wait to read it, but haven’t had time before this. But she dives into the cyberweapons market, especially as it is with government-backed organizations such as the United States Cyber Command, the NSA, and all of that, because the United States has its own cyber warfare.

But as she was alluding to, the attacks on the United States, especially infrastructure, have dramatically increased during the last half of 2020, and a lot of that has to do with COVID. I remember that period in about end of February, beginning of March, we set up literally hundreds of remote workforce access for our clients in just a matter of two to three weeks. Now, we have very specific protocols, processes, and controls. You guys know all I do is talk about technical, physical, and administrative controls, so we didn’t just turn on TeamViewer, LogMeIn, or GoToMyPC. We’ve got a very specific way we do it. It has to match our specifications or we will not do it. Things like multi-factor authentication, virtual private network connections, IP restrictions.

If this was from outside the country and it truly was an inexperienced hacker, they may not have even known what they were attacking. All they saw was an industrial control system. Now, arguably, since they knew – they could’ve just been spinning dials, but maybe they did know something about water utilities. Perhaps it was a disgruntled former employee or current employee. But at any rate, it was easy to attack.

If you’re just dealing with an IT company, security is not job one. Productivity, access, not going down, keep the water flowing – that’s job number one. Keep the client happy, if you outsource IT. If you have in-house IT and they don’t have cybersecurity specialties, once again, that is not their number one priority. Security companies make security itself, information security or infosec, the number one objective. Everything else is secondary, and everything else is analyzed per risk.

At some point, or many points throughout the entire lifecycle of our relationship with clients, the head honcho is always aware of what kind of risk his organization is taking by shortcutting security procedures such as “It’s too much hassle to set up multi-factor authentication” or “We have no experience with multi-factor authentication. A username and password will be just fine” or “We don’t need a virtual private network because you might need to log into the system from McDonald’s.” That would be IP restriction, but “We don’t want to use a virtual private network for this reason. It increases overhead, it’s going to increase expenses” and things like that.

What many of us – and this has come to the attention of the World Economic Forum; they just met a week or so ago in Davos, Switzerland – I might be mispronouncing it; I’ve never been there. But that was a very big topic of interest: a cyber pandemic that would make our COVID pandemic seem benign in comparison. The founder and head honcho at the World Economic Forum has a brief video about what he sees as the greatest threat to everyone on the planet. Not just U.S. critical infrastructure. It could be financial. Not everyone on this call is in the water utility business, but it could be finance, it could be law, it could be electrical grids. Our electrical grids are always being probed by adversarial nation-states. But let’s hear what Klaus here has to say.

Klaus Schwab: We all know but still pay insufficient attention to the frightening scenario of a comprehensive cyberattack, which would bring to a complete halt the power supply, transportation, hospital services, our society as a whole. The COVID-19 crisis would be seen in this respect as a small disturbance in comparison to a major cyberattack. To use the COVID-19 crisis as a timely opportunity to reflect on the lessons of cybersecurity, communities can talk and improve our preparedness for a potential cyber pandemic.

TOM: What Dr. Schwab there is talking about is imagine if it was a coordinated attack using one of these simple tools that are available to anyone, anywhere in the world on the internet, and it just exploits TeamViewer remotes, of which there are hundreds in the United States – that’s not even counting LogMeIn, GoToMyPC, RDP Connections, things like that. And then there’s much more sophisticated attacks.

If you’ve been the victim of a ransomware attack in the last 3 years and you paid the ransom or maybe you restored from backup or whatever and you’re whole, you got over it, and you did not have a security expert go through that network with enterprise grade tools – which is affordable, by the way – I will promise you there are other payloads on your network just waiting to be exploited, and those are stealth. Those are known as advanced persistent threats that can hang out for weeks or months or even years before being exploited. I can buy lists of all those servers that have backdoors, or I can buy lists of all the workstations that have keyloggers on them.

Now, imagine if North Korea and perhaps Russia – just what if – and maybe, I don’t know, Iran also. China usually doesn’t play in that. They just want to steal intellectual property. But those three adversaries would be more likely to want to create chaos in the United States, and perhaps even around the world in the case of North Korea and maybe even Iran. They look at a long list of different things that they could exploit and damage critical infrastructure, shut down hospitals, maybe shut down Wall Street, the international banking system, and they decide to coordinate their attacks, along with criminal syndicates throwing ransomware out there, because ransomware is very easy to distribute.

If you’ve got a lot of criminal syndicates, or a few really large criminal syndicates that are very, very skilled at ransomware, it would also be very easy to pay them off into coordinating server exploits, remote access, and other types of attacks on things like I just mentioned – critical infrastructure and things like that. And he’s describing that. What would happen? Transportation would fail. Energy would fail. Water would fail. It would be chaos all over the world. A ransomware attack could be everything from McDonald’s to the Federal Reserve.

Personally, I think it’s eminent. I do these Deeper Dives every Tuesday. Some weeks I do four or five other webinars. The best thing I can do is to raise the alarm, just like Dr. Schwab and Nicole Perlroth – trying to stress to everyone that we all have to be security aware. We all have to have a security-first environment, and we all have to treat security seriously, and we all need to do it yesterday. Not tomorrow or when it’s convenient or “after I get over this other project.” It’s got to be implemented immediately.

So what does Pinellas County or that town in Florida need to do, and what do you guys need to do to increase your defense posture? I mean dramatically and inexpensively increase your defensive posture to what I believe is the coming cyber pandemic.

The first thing is securing remote access systems. If you have a remote, you work from home in your accounting firm or your law firm or your water quality control systems, your ICS SCADA, it’s got to be secure. It’s an inconvenience, but just as you know it’s important to lock the doors to the office when you leave in the evening, lock the doors or the gates to the work centers, to lock the company vehicles and your personal vehicles in your home – you’ve got to think that way all the way through. But you’ve got to have secure remote access. This is like kiddie script territory. If you’ve got a hackable remote access system, that is one of the easiest and arguably the cheapest. Sometimes you don’t even have to pay for that if you’ve got a security guy that’s got experience with it.

In this particular case, it wouldn’t have mattered, if what the news reports say is true. But remember those industrial control systems can be attacked stealthily with server backdoors, and it doesn’t take but just a quick Google search to find all the default usernames and passwords for all the manufacturers of all the industrial control systems that are out there in the world. Google search will give you that information.

And unfortunately, what we’ve seen is these types of device manufacturers have been historically very, very sloppy in securing their systems. Some of them have hard-coded passwords or usernames, so now we’re down to one piece of information that might be able to be changed, and even then some of them put backdoors on them so they can get in, and it’s hard-coded. So every device, every Internet of Things thing out there, has a default username or default password to get into it. Perhaps.

Now, they’re getting a lot better, but in the world of technology and software, the only difference between firmware and software is that firmware is embedded in the hardware. That’s it. We can get into the syntax of a language, and maybe it’s Assembler instead of C and all these gobbledygook things that most people don’t care about, but ultimately it’s software. That’s all it is. Hardware manufacturers have been notorious for failing to secure their devices, and all of you on this call that have industrial control systems have to be aware of that, and you’d better know the manufacturer, the model, the version number of the firmware that’s on there. Is it maintained? Is it up to date? Are there known vulnerabilities? Or you’d better have somebody that knows enough about security to know all of that information. Because if it’s got known vulnerabilities and it’s an unpatched system, it can be exploited.

Another thing that you need to do is deploy EDR. You guys that have been with us for weeks and months and years know that that’s our big deal. If you are relying on an antivirus software package to protect your law firm or your water utility, you’re wasting your time, money, and you’ve got a very, very misplaced sense of security. Antivirus is useless against modern-day cyberthreats. Remember, they’re using our National Security Administration’s – arguably the world’s best offense cyberattack force – they are using those guys’ tools against us because the NSA was breached. And if the NSA can be breached, why couldn’t you? Don’t tell me you’re too small. You guys have seen the myths, the slides. That’s a myth. 15,000 population.

There was a breach a while back, and I can’t remember the dam’s name, but there’s a very, very large dam – I think in Oregon or Washington – and one of the monitoring agencies – I don’t know if it was WaterISAC or CISA or whoever it was – detected a threat to this dam. They could see that they had access to the gates. They were worried that if they opened all the gates up, I don’t know how many people could’ve been killed, but it could’ve been catastrophic. Fortunately, it ended up being a very small dam not far from Manhattan that even if they had opened all the gates, it really wouldn’t have been a big deal. It was a very small dam, and maybe the water levels and the rains and all that were in a place where it wouldn’t have caused that much damage. But they were scared to death that it was this other dam, and that could’ve simply been North Korea picking the wrong dam. Could’ve been that simple. Don’t really know. Don’t know all the details of all that stuff.

Once again, you’ve got to establish a security-first environment. That needs to be top-of-mind for everyone. I’m not saying you’ve got to eat, breathe, and sleep it every day, but what you don’t want to do is have a culture where everybody’s complaining about having to get their phone out and press a button so they can get in to their remote access. It doesn’t have to be that painful, but it is expected behavior if you’re doing the right leadership things when it comes to cybersecurity.

Finally, I want to leave you with this, that I mention quite often. It’s not if you get ready, it’s when you get ready – and it’s also going to be probably after a cyberattack because it’s much easier to hope it doesn’t happen and to buy cybersecurity insurance than it is to actually get proactive. It’s not the money, the budget. If you’ve got cybersecurity insurance and you don’t have good cybersecurity, congratulations, you spent the same amount of money in the wrong place. You don’t buy house insurance and not lock your doors. You want to prevent the worst thing from happening as best you can. You just need insurance to hopefully make you whole.

If you’re in a utility or a pseudo-government organization such as that, you’re probably not going to go out of business, but if you’re a law firm or an accounting firm or a dentist, a private practice doctor, there’s a good chance that if your data gets breached, and especially if it’s stolen and sold on the Dark Web, there’s about a 40% chance in 6 months you’re going to be closed down. All of your patients, clients, customers are going to lose trust, and you’re not going to be able to get that back.

So engage security specialists, not IT specialists. There’s a big, big difference. I’d be happy to talk to anybody about that in more detail. Or join us on one of our big webinars. I’m sure some of you are probably on the calendar for an upcoming webinar.

We’re going to do another webinar on this when we learn more details about it, or as more information comes to light. We don’t have any dates or times yet, but if more information – it will be soon – or if another one happens, which is really just a matter of time, we’re going to do another. So just keep an eye on the emails when they come in there so you can catch those.

If what happened in Florida went down like I think it did – and I could be wrong. Just pure speculation. I have no insider knowledge. I don’t know anyone involved with it or anyone that’s investigating it. But if it happened and it was the threat actor that I think it was, a simple security risk assessment would’ve prevented that from happening. And remember, it was only because somebody was looking at the same screen that it was caught in the first place.

So that’s the first thing. If you’re in the water utility business, you know you’ve got to do AWEA, or most of you have to do AWEA to assess what your risk is and identify what you need to defend your utility. If you’re not in that, you may be subject to other things, like Sarbanes–Oxley or HIPAA requirements or who knows what. Chances are you’re subject to some requirements, and those invariably go into complying with the NIST Cybersecurity Framework, and the very first step is identifying what you have to protect and what your vulnerabilities are.

Oh, we’ve got a code. I didn’t put it on the slide. Kindsey, can you pop it up in there?

KINDSEY: I will.

TOM: Yeah, pop the code up there. We normally charge $495 for this assessment. And we don’t do this on Deeper Dives, but today was special. I’m hoping that it’s hit so much public knowledge that we’re going to get some traction on this. But instead of the $495 with the code that Kindsey just put in there in the chat box – just click on that link above the code that she’s got there and get on the calendar to get you a risk assessment done. Put the code in there and it won’t cost you a thing. There is no obligation. We think of it as a way to do just what we’re doing today – to educate users more and more of the seriousness of the threat that is out there.

Having said that, I’d love to have any questions. I think we hit the 30-minute mark just about perfectly. You can throw any questions up in the Q&A, the chat box.

Incidentally, we’re thinking about changing up some of the Deeper Dives to be like a forum where everybody can participate, like in maybe a gallery view, and moderate it and present topics of interest. You guys can help us help you. Sometimes, especially me, I can’t see the forest because of the trees, and something that I think may be so, so basic that I even have to look it up to give you the right answer – but those are the things.

We’ve got to bridge this knowledge gap between the security experts and the users. No matter how smart you are. I don’t care if you’re a research scientist with three PhDs; if security is not your specialty, you need a security specialist. A doctor, a lawyer, a water treatment specialist. I didn’t even know they put lye in water. I think it’s to raise the alkalinity. I think that’s what it is. See, I don’t know. But I do know cybersecurity. “Lowers the pH to help other chemicals be in the best range to treat the water.” Thank you, Scott. And enjoy the warm weather while you have it. [laughs]

I don’t think we have any more questions. I certainly hope you had your eyes opened. Keep a lookout for the email about a follow-up to this Florida incident. Thanks again for attending. See you next time.