The water plant in Oldsmar, Fla. targeted by a hacker in a horrific cyber attack last week it is said to have shown very poor IT security practices. Recent government updates claim that the facility did not have basic network protections – including a firewall.
If you missed it, a hooker allegedly hijacked the plant’s operational controls and temporarily increased the sodium hydroxide content in the water to toxic levels. The facility is the primary source of drinking water for the city’s 15,000 residents. Although a factory operator was eventually able to return the water to normal levels, the incident nevertheless sparked a national debate over the state of safety in America’s critical infrastructure.
Like many facilities of its kind, Oldsmar uses a SCADA (abbreviation for ‘surveillance system and data acquisition system”) With which staff can monitor and control the conditions within the facility. At the same time, staff also use TeamViewer, a fairly common remote access program that can be used to monitor and control systems within SCADA.
According to a new cyber security advice from the state of Massachusetts, has left the protection of the plant for these systems something to be desired. Not only did Windows 7 make use of it – an outdated software which Microsoft no longer supports—But all of its employees apparently shared the same password to access TeamViewer. The advice further states that the facility “was directly connected to the internet without any firewall protection being installed.”
Yes, not exactly a five star review. The FBI on Wednesday reiterated this poor assessment, issuing a warning to private industry leaders about the Oldsmar incident. The Bureau declared that cybercriminals undoubtedly took advantage of the “cyber security vulnerabilities” of the facility and warned businesses against similar practices:
‘The cyber actors probably gained access to the system by exploiting poor cybersecurity, including poor password protection and an outdated Windows 7 operating system to compromise the software used to remotely manage water management. The actor probably also used the computer-sharing software TeamViewer to gain unauthorized access to the system. ”
G / O Media can get a commission
Both the FBI and the Massachusetts advice apparently confirm that the hackers were able to gain access through TeamViewer, through a flawed password protection or through the outdated Windows 7 program that used the facility.
All industry organizations work with a symbiotic mix of information technology and operational technology – and cyber researchers have long hypothesized about the kind of atrocities that await in a world where bad actors can use the former to command the latter. Oldsmar certainly kicked that conversation in a high direction – which spurred a broader conversation about how to protect America’s critical infrastructure.
Finally, the city’s security patterns are not so surprising either. State and local governments have long lagged behind federal agencies and the private sector in terms of security – a major reason why lawmakers do so pushed to push federal funding to state and local cyber security agencies. The Oldsmar incident – combined with the shockwaves of the ongoing SolarWinds scandal—Did further calls for more general investment in public-sector cyber-security by the new Biden administration promised to make good on.