Hacked Florida Water Plant Found To Have Been Using Unsupported Windows 7 Machines And Shared Passwords
from the sigh dept
By now, you have likely heard about the recent hack into a Florida water treatment plant which resulted in the attacker remotely raising the levels of sodium hydroxide to 100 times the normal level for the city's water supply. While those changes were remediated manually by onsite staff, it should be noted that this represents an outside attacker attempting to literally poison an entire city's water supply. Once the dangerous part of all of this was over, attention rightfully turned to figuring out how in the world this happened.
The answer, as is far too often the case, is poor security practices at the treatment plant.
According to an advisory from the state of Massachusetts, employees with the Oldsmar facility used a computer running Windows 7 to remotely access plant controls known as a SCADA—short for “supervisory control and data acquisition”—system. What’s more, the computer had no firewall installed and used a password that was shared among employees for remotely logging in to city systems with the TeamViewer application.
If you're not in the IT space, this is base level stuff. Have your computer systems on operating systems that are under active support and are being patched. That is doubly so for any systems that are critical, or which have access to critical systems. And to not have any client security, such as a local software firewall, on such a machine is IT malpractice. On top of the above, it appears that TeamViewer hadn't been actively used by the staff there for nearly six months. So there, again, was poor administration of the environment, with an antiquated remote access application not being removed from the production environment.
Instead, the save in all of this came from the meatware that was fortunately sitting at the machine and actively watching.
The breach occurred around 1:30pm, when an employee watched the mouse on his city computer moving on its own as an unknown party remotely accessed an interface that controlled the water treatment process. The person on the other end changed the amount of lye added to the water from about 100 parts per million to 11,100ppm. Lye is used in small amounts to adjust drinking water alkalinity and remove metals and other contaminants. In larger doses, the chemical is a health hazard.
Christopher Krebs, the former head of the Cybersecurity and Infrastructure Security Agency, reportedly told a House of Representatives Homeland Security committee on Wednesday that the breach was “very likely” the work of “a disgruntled employee.”
It's a water treatment plant for an entire city. In an era where there is an extreme lack of trust in government, dumb stuff like this acts as a supercharger.
Filed Under: florida, scada, security, shared passwords, water plant, windows 7