The water plant in Oldsmar, Florida. led by a hacker in a horrific cyberattack it is said that last week showed very weak computer security practices. Recent updates from government authorities state that the facility lacked basic network protections, including a firewall.
In case you missed it, a hacker allegedly hijacked the plant’s operational controls on Friday and temporarily raised the sodium hydroxide content in the water to poisonous levels. The facility is the main source of drinking water for the city’s 15,000 residents. While eventually a plant operator was able to return water to normal levels, the incident has sparked a national conversation about the state of security in America’s critical infrastructure.
Like many such facilities, Oldsmar uses a SCADA (short formonitoring and data acquisition control system”) That allows staff to monitor and control the conditions within the facility. At the same time, staff have also used TeamViewer, a fairly common remote access program, which can be used to monitor and control systems within SCADA.
According to one new advice on cybersecurity of in the state of Massachusetts, plant protections for these systems left something to be desired. The installation not only used Windows 7, an obsolete software which Microsoft no longer supports—But apparently all their employees shared the same password to access TeamViewer. In addition, the advisor states that the installation “appeared to be directly connected to the Internet without any firewall protection installed.”
Yes, it’s not exactly a five star review. The FBI on Wednesday reiterated that poor assessment, which issued an alert to private industry leaders about the Oldsmar incident. The Bureau declared undoubtedly, hackers exploited the “cybersecurity weaknesses” of the facility and warned companies of similar practices:
“Cyber actors are likely to gain access to the system by exploiting cybersecurity weaknesses, including poor password security and an obsolete Windows 7 operating system to compromise the software used to manage water treatment remotely. Probably the actor also used TeamViewer desktop sharing software to gain unauthorized access to the system. ”
G / O Media may receive a commission
Both the FBI and the Massachusetts adviser appear to confirm that hackers were able to access through TeamViewer, crawling through poor password security or the obsolete Windows 7 program that used the installation.
All industrial organizations operate with a symbiotic mix of information and operational technology, and cyber researchers have long been hypothesizing about the types of horrors they expect in a world where bad actors can use the former to control the latter. Oldsmar has certainly turned this conversation into hyper-impetus, driving a broader conversation about how to protect U.S. critical infrastructure.
Ultimately, the city’s security weaknesses aren’t that surprising either. State and local governments have lagged far behind federal and private sector agencies in terms of security, a central reason why lawmakers have it. pushing state directing down federal funding to state and local cybersecurity agencies. The Oldsmar incident, combined with the shock waves of the SolarWinds scandal underway—It has only driven more demand for more general public sector cybersecurity investments than the new Biden administration he has promised to do well.