Remote access into manufacturing, industrial and critical infrastructure has been increasing in light of 2020, and is becoming increasingly commonplace. The recent breach of the Oldsmar water treatment facility should give all organizations concern. In case you missed it, someone remotely accessed a computer for the city’s water treatment system and briefly increased the amount of sodium hydroxide, also known as lye, by a factor of more than 100; according to company officials and news sources.
The chemical is used in small amounts to control the acidity of water but it’s also a corrosive compound commonly found in household cleaning supplies such as liquid drain cleaners. The city’s water supply was not affected. A supervisor working remotely saw the concentration being changed on his computer screen and immediately reverted it, according to authorities.
Most ICS devices and systems were developed and deployed without consideration for the remote environment we live in today. These systems exist in ‘industrial networks.’ Both of these operate on the premise: If you can access, you can control. Authentication of a ‘virtual’ or ‘digital’ user was not part of the design.
Remote access tools have since been deployed which connect those industrial systems to the outside world. In the case of Oldsmar, it was reported as TeamViewer. While each toolset is different and may have different vulnerabilities, any remote access is a vulnerability.
It is the process, not the specific tool, that is flawed.
It is the process, not the specific tool of traditional remote access, that is flawed. It assumes that as long as you pass the initial authentication step, you can now roam and control systems in the industrial network freely. These digital systems control physical outcomes and can have serious impact to the environment and cause serious human consequences.
The feedback we are receiving from the industry is – ‘not a major concern, we are different.’ This is shortsighted and dangerous. A different tool is not a different process. These traditional tools can be very effective in the ‘Enterprise’ network because the ‘Enterprise’ assets have their own authentication controls. However, the ‘Industrial’ network and assets do not.
A different tool is not a different process.
One access verification allows control to all. Much like walking into a building and all the other doors are unlocked. This is another example of ‘Enterprise’ security practices that do not apply equally in the ‘Industrial’ environment.
If you have responsibility over any industrial process, understand that remote tools are available to specifically address this common misunderstanding by engineers, IT and security folks alike. These tools have the capability to combine remote digital access, targeted assets, audit capabilities and human process controls.
It’s more important than ever to practice Digital Safety when lives are at stake. Velta Technology specializes in Digital Safety and Cybersecurity for the industrial space. We understand industrial assets and infrastructure and bridge the gap between Industrial IoT initiatives and OT/IT convergence.