We hear about security incidents frequently where attackers have gained access to systems through remote maintenance access. This was recently the case at a water provider in Oldsmar, Florida, where an attacker gained access to a user interface via TeamViewer. Many customers in the industry use TeamViewer as a remote access solution. As part of OT Infrastructure Assessments, we help our customers evaluate technologies before they are selected in the company.
Remote maintenance access is extremely important and practical for OT systems, both for the operator and the plant builder or integrator. There is almost no OT system that does not have remote access integrated in some way (for maintenance, servicing, troubleshooting, etc.). If the remote access points are poorly secured, as was the case with the water provider in Oldsmar, they can be accessed directly from the Internet. In cases where a simple port redirection is set up at the firewall (if the ports used, such as TCP/5938 and UDP/5938 or TCP80 or TCP/443, for example, are switched directly through), an attacker can identify these remote maintenance services as such from the Internet. If easy-to-guess user names (e.g. admin) and passwords (e.g. remote) are used, it is easy for the attacker to access the system.
How can you as a company protect yourself?
The first step towards secure remote maintenance access is to analyze your own attack surface. With our Distributed Cyber Recon System we identify the real attack surface and detect potential vulnerabilities. A penetration test also reveals and exploits different remote maintenance access points, since a pentest particularly checks the externally facing interfaces from an attacker’s point of view. A technical test of the security of remote maintenance solutions in use is also possible. At Limes Security, we work vendor-independently and test systems objectively, regardless of the manufacturer used. As a preventive measure, it makes sense, for example, to identify instances of TeamViewer and check how they are connected to the Internet. A check of the type of connectivity TeamViewer uses (simple port forwarding or tunneled connection) provides clarity here.