“The problem isn’t the fact that remote software existed. I think the problem is that an opponent obtained the credentials for the opponent to access,” said Damon Small, technical director of Security Consulting at NCC Group North America. . .
“What it underscores, as an information security professional, is the need for strong authentication when critical infrastructures start using these types of remote access systems.”
According to Pinellas County Sheriff Bob Gualtieri and a Massachusetts government advisory to public water providers, the hackers gained access to the water facility’s control systems through remote access software known as TeamViewer.
Martina Dier, a TeamViewer spokesperson, said an investigation found no evidence of suspicious activity on its platform.
Why working remotely can lead to hacks
Eric Cole, a former CIA cybersecurity expert and author of the upcoming book “Cyber Crisis,” said many critical infrastructure systems, such as water treatment plants, are built as closed loop systems and have been deliberately kept out of the wider Internet.
“You had to get past the guards with the guns, the fences, the video cameras and all the physical security measures to gain access,” he explained.
But a few years ago, many utility companies began putting their systems online to pave the way for remote working. The pandemic has only accelerated that process, but the increased security needed to put these systems online has not always been followed.
“These systems were never designed for that purpose, and proper security was never put in place,” he said.
Damon Small, who works with oil and gas companies with remote locations, said there are perfectly fitting business reasons to run these systems remotely.
It can also be done safely. He made three recommendations to support these systems: 1) no shared accounts; 2) multi-factor authentication; and 3) Virtual Private Network (VPN) technology so that the systems are not directly exposed to the Internet.
Still, he acknowledged that these tips were easier said than done and cost time and money.
“The problem is that you can’t upgrade something like a water treatment plant as easily as an email system in a company, because a water treatment plant always has to work,” he said.
“We need to help all of these critical infrastructures as best we can, knowing that we don’t have the benefit of shutting down at 5 a.m. every day. How do you upgrade these things and make a system that may have been deployed two or more? how do you make it resilient to 21st century attacks? “
Until those upgrades are in place, similar hacks can be expected at critical infrastructure facilities, Cole warned.
“They are more vulnerable than the average person or citizen would believe or would like to believe,” said Cole.
“I think this shows us that no matter who you are, whether you are an individual, a small business or a large corporation, if you have vulnerabilities, you will be discovered and you will be a target, and cybersecurity is your responsibility. “
CNN’s Brian Fung and Alex Marquardt contributed to this report.