The Florida water treatment facility, whose computer system suffered a potentially dangerous computer breach last week, used an unsupported version of Windows with no firewall and shared the same TeamViewer password with its employees, government officials said.
The computer break-in occurred last Friday in Oldsmar, a Florida town of about 15,000, about 15 miles northwest of Tampa. After gaining remote access to a computer that controlled the equipment at the Oldsmar water treatment plant, the unknown intruder increased the amount of sodium hydroxide — a caustic chemical better known as lye — by a factor of 100. The tampering caused serious illness or death. could cause it was not for guarantees that the city has put in place.
Beware of lax security
According to an advisory from the state of Massachusetts, Oldsmar facility employees used a computer running Windows 7 to remotely access factory controls known as a SCADA — short for “supervisory control and data acquisition” system. In addition, the computer had no firewall installed and a password shared by employees was used to remotely log into city systems using the TeamViewer application.
Massachusetts officials wrote:
The unidentified actors accessed the SCADA controls of the water treatment plant via remote access software, TeamViewer, which was installed on one of the computers that the water treatment plant personnel used to perform system health checks and respond to alarms or other problems that arose during the water. treatment process. All computers used by the water plant personnel were connected to the SCADA system and were running the 32-bit version of the Windows 7 operating system. Furthermore, all computers shared the same remote access password and appeared to be connected directly to the Internet with no firewall protection of any kind installed.
A private sector notice published by the FBI yielded a similar assessment. It said:
The cyber actors likely gained access to the system by exploiting cybersecurity vulnerabilities, including poor password protection and an outdated Windows 7 operating system to compromise software used to remotely manage water treatment. The actor also likely used the desktop sharing software TeamViewer to gain unauthorized access to the system.
FBI
Employees at Oldsmar’s water treatment department and the city manager’s office did not immediately respond to telephone messages requesting comment for this message.
Sins and omissions
The disclosures illustrate the lack of security rigor in many critical infrastructure environments. In January, Microsoft ended support for Windows 7, a move that ended security updates for the operating system. Windows 7 also offers less security than Windows 10. The lack of a firewall and a password that was the same for every employee are also signs that the department’s security regime wasn’t as tight as it could have been.
The breach occurred around 1:30 p.m., when an employee saw the mouse on his city computer move on its own while an unknown party gained remote access to an interface controlling the water purification process. The person on the other end changed the amount of lye added to the water from about 100 parts per million to 11,100 ppm. Lye is used in small amounts to adjust the alkalinity of drinking water and remove metals and other contaminants. In larger doses, the chemical is a health hazard.
Christopher Krebs, former head of the Cybersecurity and Infrastructure Security Agency, reportedly told a House Homeland Security Committee on Wednesday said the breach was “very likely” the work of “a disgruntled employee.”
City officials said residents were never in danger as the change was quickly detected and reversed. Even if the change hadn’t been reversed, officials said, the treatment plant’s staff has been fired to deal with dangerous conditions before delivering water to homes and businesses.
The TeamViewer shared password was previously reported by Associated Press.