Earlier this month, Rambler Gallo pled not guilty to charges that he attempted to sabotage the water treatment facility in Discovery Bay, California. The facility provides treatment for the water and wastewater systems for the town’s 15,000 residents. An unsealed federal court indictment showed Gallo logged into the Supervisory Control and Data Acquisition (SCADA) network controlled by his employer, Veolia North America, who operated the Discovery Bay facility under contract, and “execut[ed] commands to uninstall software that was the main hub of the facilities computer network and that protected the entire water treatment system, including water pressure, filtration and chemicals levels,” the Department of Justice advisory noted.
Gallo installed and then used the TeamViewer remote control software on his personal computer to access the resident laptop within the facility that controlled the SCADA system and “Ignition” software. The kicker is that Gallo executed these actions on January 15 and 16, 2021, weeks after his last day of employment at the facility, which was December 9, 2020. According to the indictment, Gallo worked for Veolia North America from July 2016 until December 9, 2020, when he resigned.
TeamViewer seems to be the application of choice for those attempting to compromise water facilities via their SCADA network. In February 2021, the water treatment plant for the city of Oldsmar, Florida, was the victim of a cyberattack by a miscreant who leveraged the TeamViewer software to gain access. In this case, Gallo took advantage of the fact that a shared password was used for access to the TeamViewer application. The indictment noted the existence of “a laptop,” which implied it was a shared device; it was on this shared laptop that Gallo allegedly installed the TeamViewer application and gave himself remote access capability even after his resignation.
Nothing to Worry About
Veolia North America’s vice president of communications for Municipal Water commented via email, “The January 2021 incident at the treatment facility in Discovery Bay, California, was promptly detected, addressed and reported, and did not adversely affect ongoing operations of Discovery Bay’s water and wastewater facilities. Based upon our own investigation and a thorough independent investigation, Veolia North America firmly believes that what took place in Discovery Bay was an isolated incident, that its water and wastewater treatment operations nationwide are secure, and that the cybersecurity protections at its facilities constitute sound best practices for infrastructure protection. Veolia has cooperated and will continue to cooperate fully with law enforcement’s investigation of the incident and with the related prosecution. Veolia wishes to thank the Contra Costa County Sheriff’s Office, the U.S. Federal Bureau of Investigation field office in San Francisco, and the U.S. Attorney’s Office for the Northern District of California for their diligent work on this investigation.”
Insider Lessons Learned
The comment from Veolia doesn’t speak to the steps leading to discovery, nor does it speak to how and why Gallo’s actions weren’t discovered prior to his departure—only after he executed his remote access. Those following insider risk management trends and the evolution of cybersecurity and human-centric analysis know the time for action was well before January 15, 2021.
Mohan Koo, co-founder and CEO of DTEX Systems, noted in 2021 that, “an unengaged workforce opens the door for outside attackers to find a way in through employees.” In the Oldsmar, Florida case, this was on display in spades; in the California case, the employee, a trusted insider, allegedly operated in a premeditated and malicious manner which begs the question: What behavioral ticks and signals did Gallo display prior to his resignation? And in the 90 to 120 days prior to his departure, was there a review of his network and device activities that could have raised a red flag?