By this time you have probably heard the theoretically scary story of how hackers managed to infiltrate the computer systems in a water treatment plant in Oldsmar, Florida and control the chemical levels remotely – but it seems that the description gives the hackers ver, ver too much credit.
The reality? The water purification plant self left remote control software on these critical computers – and apparently never bothered to change the password.
An official cyber security advice on the incident from the state of Massachusetts (via Ars Technica) explains that the SCADA control system was obtained via TeamViewer, the kind of external desktop application that an IT administrator can implement to remotely troubleshoot computers – not something you generally want to connect to a critical system. More importantly, and here I will only quote the Massachusetts report verbatim:
Furthermore, all computers shared the same password for remote access and appeared to be directly connected to the Internet without any firewall installed.
Yes, just like the Florida Department of Health, this water treatment plant in Florida has apparently not bothered to issue individual passwords for software that can give everyone full access to any of their computers and their water treatment system.
In other words, any employee can adjust the entire city’s water supply at any time from anywhere in the world. This is probably what happened: former US cyber security tsar Christopher Krebs testified earlier today that it was ‘most likely’ an insider, possibly a dissatisfied employee. Someone who would already have access, who would not make a ‘hack’ at all.
In later remarks, @C_C_Krebs explains: “It is possible that it was an insider or a dissatisfied employee. It is also possible that it was a foreign actor.” … But ‘we must not conclude that it is a’ sophisticated ‘adversary.
– Ellen Nakashima (@nakashimae) 10 February 2021
By the way, it’s not like the water treatment plant even used the software: Pinellas County Sheriff Bob Gualtieri said the plant actually stopped using TeamViewer six months ago, The Wall Street Journal, but it still left installed.
It should probably go without saying that your critical public infrastructure should not be easily accessible from anywhere in the world, but the FBI says that in any case, according to ZDNet; the agency today issued a warning against TeamViewer, bad passwords and Windows 7, which Microsoft no longer supports with security updates, but has still installed the water treatment plant.
Unfortunately, reported by Under and Cyberscoop suggests that lax security (including TeamViewer specifically) and outdated infrastructure are all too common with small public utilities, which may not have the budget, expertise or even the ability to control their own security systems, but rather extend it to third parties.
The good news is that a factory operator quickly notices the intrusion, reverses it and no one seems to have been harmed.