Hacked Florida water plant used shared passwords and Windows 7 PCs
"Municipal water utilities are extremely underfunded and under-resourced."
The Oldsmar, Florida water plant hacked earlier this week used outdated Windows 7 PCs and shared passwords, the Associated Press has reported. A government advisory also revealed that the relatively unsophisticated attack used the remote-access program TeamViewer. However, officials also said that the hacker’s attempt to boost chemicals to dangerous levels was stopped almost immediately after it started.
“The cyber actors likely accessed the system by exploiting cybersecurity weaknesses, including poor password security and an outdated Windows 7 operating system to compromise software used to remotely manage water treatment,” according to investigators. "The actor also likely used the desktop sharing software TeamViewer to gain unauthorized access to the system."
The unknown attacker logged into TeamViewer, accessed sensitive systems and attempted to boost lye levels by 100 times. A supervisor monitoring one of the systems saw a mouse pointer move across the screen and “immediately noticed the change in dosing amounts,” according to the advisory. They were able to reverse it immediately and the water treatment process was unaffected. If it hadn’t been observed, the alteration would have taken 24-36 hours to affect the water supply and the changes would have been detected and stopped by plant safeguards.
Windows 7 has not been patched with security updates in over a year. On top of everything else, the computers were “connected directly to the Internet without any type of firewall protection installed,” the advisory said.
The Oldsmar hack was an accident waiting to happen, according to experts. “We have known for a long time that municipal water utilities are extremely underfunded and under-resourced, and that makes them a soft target for cyberattacks,” Dragos Security’s Lesley Carhart told the AP. “In a lot of cases, all of them have a very small IT staff. Some of them have no dedicated security staff at all.”