The Florida water remedy facility whose laptop system skilled a probably hazardous laptop breach final week used an unsupported model of Home windows with no firewall and shared the identical TeamViewer password amongst its workers, authorities officers have reported.
The pc intrusion happened last Friday in Oldsmar, a Florida metropolis of about 15,000 that’s roughly 15 miles northwest of Tampa. After gaining distant entry to a pc that managed tools contained in the Oldsmar water remedy plant, the unknown intruder elevated the quantity of sodium hydroxide—a caustic chemical higher often called lye—by an element of 100. The tampering might have prompted extreme illness or dying had it not been for safeguards town has in place.
Watch out for lax safety
In keeping with an advisory from the state of Massachusetts, workers with the Oldsmar facility used a pc operating Home windows 7 to remotely entry plant controls often called a SCADA—brief for “supervisory management and knowledge acquisition”—system. What’s extra, the pc had no firewall put in and used a password that was shared amongst workers for remotely logging into metropolis techniques with the TeamViewer software
Massachusetts officers wrote:
The unidentified actors accessed the water remedy plant’s SCADA controls through distant entry software program, TeamViewer, which was put in on one among a number of computer systems the water remedy plant personnel used to conduct system standing checks and to answer alarms or every other points that arose in the course of the water remedy course of. All computer systems utilized by water plant personnel have been linked to the SCADA system and used the 32-bit model of the Home windows 7 working system. Additional, all computer systems shared the identical password for distant entry and gave the impression to be linked on to the Web with none kind of firewall safety put in.
A non-public business notification printed by the FBI supplied an identical evaluation. It mentioned:
The cyber actors possible accessed the system by exploiting cyber safety weaknesses together with poor password safety, and an outdated Home windows 7 working system to compromise software program used
to remotely handle water remedy. The actor additionally possible used the desktop sharing software program TeamViewer to achieve unauthorized entry to the system.
Workers in Oldsmar’s water remedy division and metropolis supervisor’s workplace didn’t instantly reply to cellphone messages in search of remark for this publish.
Sins and omissions
The revelations illustrate the shortage of safety rigor discovered inside many vital infrastructure environments. In January, Microsoft ended support for Windows 7, a transfer that ended safety updates for the working system. Home windows 7 additionally gives fewer safety protections than Home windows 10. The dearth of a firewall and a password that was the identical for every worker are additionally indicators that the division’s safety routine wasn’t as tight because it might have been.
The breach occurred round 1:30pm, when an worker watched the mouse on his metropolis laptop transferring by itself as an unknown celebration remotely accessed an interface that managed the water remedy course of. The particular person on the opposite finish modified the quantity of lye added to the water from about 100 components per million to 11,100 ppm. Lye is utilized in small quantities to regulate ingesting water alkalinity and take away metals and different contaminants. In bigger doses, the chemical is a well being hazard.
Christopher Krebs, the previous head of the Cybersecurity and Infrastructure Safety Company, reportedly told a Home of Representatives Homeland Safety committee on Wednesday that the breach was “very possible” the work of “a disgruntled worker.”
Metropolis officers mentioned residents have been by no means in peril, as a result of the change was shortly detected and reversed. Even when the change hadn’t been reversed, the officers mentioned, remedy plant personnel have redundancies in place to catch harmful circumstances earlier than water is delivered to properties and companies.
The shared TeamViewer password was reported earlier by the Related Press.