“The problem is not the fact that remote software existed. I think the problem is that an adversary got hold of the referees so that the adversary could gain access to it,” said Damon Small, technical director of security advice at NCC Group North America, said. .
“What it emphasizes, as a professional about information security, is the need for strong verification when critical infrastructures are going to use these types of remote access systems.”
According to Pinellas County Sheriff Bob Gualtieri and a Massachusetts government adviser to public water providers, the hackers gained access to the water facility’s control systems through software known as TeamViewer.
Martina Dier, a spokeswoman for TeamViewer, found no evidence of suspicious activity on the platform in an investigation.
Why remote work can lead to hacks
Eric Cole, a former CIA expert on cyber security and author of the forthcoming book “Cyber Crisis”, said that many critical infrastructure systems, such as water treatment plants, are built as closed loop systems and are deliberately kept out of the wider internet.
“You had to pass the guards with the guns, the fences, the video cameras and all the physical security measures to gain access,” he explained.
But a few years ago, many utility companies started putting their systems online to pave the way for remote work. The pandemic only accelerated the process – but the increased security required to put these systems online did not always follow.
“These systems were never designed for that purpose, and proper security was never put in place,” he said.
Damon Small, who works with oil and gas companies with remote locations, said there are many appropriate business reasons to make these systems work remotely.
It can also be done safely. He offered three recommendations for building these systems: 1) no shared accounts; 2) multi-factor authentication; and 3) Virtual Private Network (VPN) technology so that the systems are not directly exposed to the Internet.
Yet he acknowledged that these tips were easier said than done, and that they took time and money.
“The problem is that you can not upgrade something like a water treatment plant as easily as an email system in a business, because a water purification plant has to function all the time,” he said.
“We need to know all this critical infrastructure as much as we can, that we do not have the benefit of closing every day at five o’clock. How can you upgrade these things and make a system that could have been deployed? Three decades ago – how do you make it resilient to 21st century attacks? ‘
However, until the upgrades are done, similar heels can be expected in critical infrastructure facilities, Cole warned.
“They are more vulnerable than the average person or ordinary citizen would believe or would like to believe,” Cole said.
“I think what it shows us, no matter who you are, whether you’re an individual, a small business or a large company. If you have a vulnerability, you will be discovered, and you is a target, and cyber security is your responsibility. ‘
Brian Fung and Alex Marquardt of CNN contributed to this report.