Jives with my experiences working in consulting and on the vendor side of things, honestly. Systems that don't have any practical need for air gaps always seem to be air-gapped, and systems that probably should be air-gapped often aren't.
> "But at about 1:30 p.m. the same day, Gualtieri said, someone accessed the system again. This time, he said, the operator watched as someone took control of the mouse, directed it to the software that controls water treatment, worked inside it for three to five minutes and increased the amount of sodium hydroxide from 100 parts per million to 11,100 parts per million."
who wants to bet this might have been as simple as improper usage/implementation of Teamviewer gone wrong?
when dealing with persons/organizations who are not focused on infosec/netsec issues, given the opportunity and ability to do so, never underestimate the workarounds and kludges that people will install to "make their job easier", such as putting teamviewer on control system PCs running water systems.
I can imagine that especially during covid, there might have been some substantial convenience to having teamviewer on that computer system. Not justifying it's presence, but I do think this is a failure of IT not finding a way to make access to the system both secure and convenient.
Well the superbowl was being played that weekend a few miles away on Sunday and so there was a large amount of media and visitors in town for the game(also heavy national coverage). Glad they reverted it as who knows what would have happened if left unchecked.
The implications of such a thing could have been terrifying and tragic. Goes to show that you should never be overconfident about or underestimate the security of your computer systems. Especially if you are a critical government agency. I hope they've learned their lesson about having a cybersecurity plan and system backups in place, instead of hubris. They avoided the consequences this time, but next time it could be too late.
15 comments
[ 2.9 ms ] story [ 46.3 ms ] threadwho wants to bet this might have been as simple as improper usage/implementation of Teamviewer gone wrong?
when dealing with persons/organizations who are not focused on infosec/netsec issues, given the opportunity and ability to do so, never underestimate the workarounds and kludges that people will install to "make their job easier", such as putting teamviewer on control system PCs running water systems.
Either someone messed up, or there is a resourceful attacker.
* Remote access to systems that could kill people must be limited to people with the following thought out permissions and secured credentials
And more:
* The list of people who can access this system must be documented
* The accounts must have their password be changed every 6 months
* A committee must review the set of outstanding patches and upgrades for known issues every 4 months and prioritize what to fix
* I hope that someone is actually installing those patches and upgrades.
Surely they'll be capable of configuring a corporate VPN without a fat budget to have Cisco do it for them...right?
Well the superbowl was being played that weekend a few miles away on Sunday and so there was a large amount of media and visitors in town for the game(also heavy national coverage). Glad they reverted it as who knows what would have happened if left unchecked.