The relative ease with which a cyber attack was carried out on a supervisory control and data acquisition (SCADA) system has prompted the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), and environmental regulators from multiple US states to issue warnings over how hackers can exploit desktop sharing software.

Fears about the security of critical national infrastructure (CNI) will grow after it emerged that a water utility in Florida was infiltrated through a popular remote desktop application.

The attack on the SCADA system was thwarted by an alert employee. However, it highlights how hackers can use everyday software (TeamViewer, in this case) to potentially devastating effect. The threat is magnified if facilities have weak password protocols in place.

Systems at the Florida facility all shared the same password for remote access and connected to the internet without apparently having firewall protection installed.

From SCADA access to manipulating water treatment systems

Once they had accessed the SCADA system in Florida, the hacker manipulated the systems controlling the plant to increase the amount of sodium hydroxide. The caustic chemical is used in the water treatment process to adjust the water’s pH and remove contaminants.

Plant personnel spotted the unauthorized change in dosing amounts and corrected the issue before the SCADA system’s software detected the manipulation and set off its own alarm. As a result, the water treatment process continued to operate as normal.

TeamViewer is typically used by IT support teams to remotely access employee devices without using a virtual private network (VPN). The Florida utility had switched to a different tool six months previously, but the TeamViewer program remained in place and unused, providing an open door through which the intruder could gain full access to the system.

Many utilities also put themselves at risk by using old operating systems, such as Windows 7, which Microsoft no longer supports with security updates. This leaves systems exposed to attacks.

Low-level infrastructure hacks should not be overlooked

It is just over ten years since the definitive story on SCADA attacks emerged. The Stuxnet worm destroyed the working capability of the Iranian Bushehr nuclear power plant. Within several months of the attack, Stuxnet had infected approximately 50,000 different Windows computers along with 14 major control systems.

This latest SCADA attack and a 2020 attack on a natural gas compression facility are not on the same scale as Stuxnet, but they do illustrate that cyberattacks on industrial facilities and critical infrastructure are a continuing threat.

The latest incident highlights a need to strengthen water and wastewater facilities’ cybersecurity capabilities to match other critical infrastructure sectors. That should include hardening internal systems governance to prevent abuse by disgruntled employees. Former US cybersecurity czar Christopher Krebs has suggested the attacker was “very likely” an insider, possibly a disgruntled employee, who would already have access to systems.

This latest incursion will remind the new Biden administration that, although it has made noises on tackling threats like ransomware, US critical infrastructure remains at risk from cyberattacks. This latest attack failed. Next time, the authorities may not be quite so lucky.