By now, you’ve probably heard the theoretically scary story of how hackers managed to infiltrate computer systems at a water treatment plant in Oldsmar, Florida, and remotely control chemical levels – but it turns out that this description provides hackers with very far too much credit.
The reality? The water treatment plant in itself left remote control software ready for use on these critical computers – and apparently never, ever, bothered to change the password.
An official cybersecurity statement on the Massachusetts state incident (via Ars Technica) explains that the SCADA control system was accessed via TeamViewer, the type of remote desktop application that an IT administrator can launch to remotely troubleshoot computers – not something you usually want to connect to a critical system. Most importantly, and here I will just quote the Massachusetts report literally:
In addition, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.
Yes, like the Florida Department of Health, this Florida water treatment plant apparently did not bother to issue individual passwords for software that could give anyone full access to any of its computers and water treatment systems.
In other words, any employee could adjust the city’s water supply on a whim, from anywhere in the world. What probably happened: former US cybersecurity czar Christopher Krebs witnessed earlier today that it was “very likely” an insider, possibly a disgruntled employee. Someone who would already have access, which would not be a “hack” at all.
In later comments, @C_C_Krebs clarifies: “It is possible that it is an insider or dissatisfied employee. It is also possible that he is a foreign actor ”. … But “we must not come to the conclusion that it is a sophisticated opponent”.
– Ellen Nakashima (@nakashimae) February 10, 2021
By the way, it’s not like the water treatment plant is using this software: Pinellas County Sheriff Bob Gualtieri said the plant actually stopped using TeamViewer six months ago, according to Wall Street Newspaper, but still left it installed.
It probably shouldn’t have to be that you shouldn’t make critical public infrastructure easily accessible from anywhere in the world, but the FBI is saying it anyway, according to ZDNet; the agency sent an alert today warning against TeamViewer, incorrect passwords and Windows 7, that Microsoft no longer supports security updates, but the water treatment plant had still installed it.
Unfortunately, reports in Vice and Cyberscoop suggest that loose security (including TeamViewer specifically) and outdated infrastructure are very common in small utility companies, who may lack budget, experience or even the ability to control their own security systems, instead, often delivering them to third parties.
The good news is that the plant operator quickly noticed the intrusion, reversed it and it looks like no one was hurt.