The Florida water treatment facility, whose computer system suffered a potentially dangerous computer breach last week, used an unsupported version of Windows without a firewall and shared the same TeamViewer password among its employees, government officials said.
The computer invasion took place last Friday in Oldsmar, a city in Florida with about 15,000 inhabitants and about 15 miles northwest of Tampa. After obtaining remote access to a computer that controlled the equipment inside the Oldsmar water treatment plant, the unknown intruder increased the amount of sodium hydroxide – a caustic chemical better known as caustic soda – by a factor of 100. Adulteration it may have caused serious illness or death if it were not for the safeguards that the city had in place.
Beware of loose security
According to a statement from the state of Massachusetts, employees at the Oldsmar unit used a computer running Windows 7 to remotely access the factory controls known as SCADA – short for “supervisory control and data acquisition” – the system. Furthermore, the computer did not have a firewall installed and used a password shared by employees to log in remotely to city systems with the TeamViewer application
Massachusetts officials wrote:
The unidentified actors accessed the SCADA controls of the water treatment plant through the remote access software, TeamViewer, which was installed on one of several computers that the water treatment plant staff used to perform system status checks and respond. to alarms or any other problems that arose during the water treatment process. All computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system. In addition, all computers shared the same password for remote access and appeared to be directly connected to the Internet without any type of firewall protection installed.
A private industry notice published by the FBI provided a similar assessment. It said:
Cybercriminals likely accessed the system by exploiting the weaknesses of cyber security, including poor password security and an outdated Windows 7 operating system to compromise the software used
to remotely manage water treatment. The actor probably also used TeamViewer desktop sharing software to gain unauthorized access to the system.
FBI
Employees at Oldsmar’s water treatment department and the city manager’s office did not immediately respond to telephone messages asking for comments on this post.
Sins and omissions
The revelations illustrate the lack of security rigor found in many critical infrastructure environments. In January, Microsoft ended support for Windows 7, a change that ended security updates for the operating system. Windows 7 also offers less security protections than Windows 10. The lack of a firewall and the same password for each employee are also signs that the department’s security regime was not as strict as it could be.
The breach occurred around 1:30 pm, when an employee watched the mouse on his city computer move by itself while an unknown party remotely accessed an interface that controlled the water treatment process. The person on the other end changed the amount of lye added to the water from about 100 parts per million to 11,100 ppm. Lye is used in small quantities to adjust the alkalinity of drinking water and to remove metals and other contaminants. In larger doses, the chemical is a health hazard.
Christopher Krebs, former head of the Cyber Security and Infrastructure Agency, supposedly said an Internal Security committee of the House of Representatives on Wednesday that the breach was “very likely” the work of “a disgruntled employee”.
City officials said residents were never in danger because the change was quickly detected and reversed. Even if the change has not been reversed, officials said, treatment plant staff have to lay off to catch dangerous conditions before water is delivered to homes and businesses.
The TeamViewer shared password was previously reported by the Associated Press.