The aquatic plant in Oldsmar, Fla. target of a hacker in a horrific cyber attack last week there would have been very weak IT security practices. Recent updates from government agencies claim the facility lacked any basic network security, including a firewall.
In case you missed it, a hacker allegedly hijacked the plant’s operational controls on Friday, temporarily boosting the sodium hydroxide levels in the water to toxic levels. The facility is the primary source of drinking water for the city’s 15,000 residents. Although an operator of an installation was eventually able to return the water to normal levels, the incident nevertheless sparked a national conversation about the state of security in America’s critical infrastructure.
Like many facilities of its kind, Oldsmar uses a SCADA (short for ‘supervisory control and data acquisition system”) Allows personnel to monitor and control conditions within the facility. At the same time, the staff also uses TeamViewer, a fairly common remote access program, which can be used to monitor and control systems within the SCADA.
According to a new cybersecurity advice from the state of Massachusetts left the plant’s protection of these systems to be desired. The facility wasn’t just using Windows 7 – an outdated software which Microsoft no longer supports– but all his employees apparently shared the same password to access TeamViewer. Additionally, the advisory claims that the facility “appeared to be connected directly to the Internet without any firewall protection installed.”
Yes, not exactly a five-star review. The FBI reiterated this poor assessment on Wednesday, which brought a warning to private sector leaders regarding the Oldsmar incident. The agency stated that hackers have no doubt exploited the facility’s “ cybersecurity weaknesses ” and warned companies against similar practices:
“The cyber actors have likely gained access to the system by exploiting vulnerabilities in cybersecurity, including poor password protection and an outdated Windows 7 operating system to compromise software used to remotely manage water treatment. The actor also likely used the desktop sharing software TeamViewer to gain unauthorized access to the system. “
G / O Media can receive a commission
Both the FBI and the Massachusetts advisory body appear to confirm that the hackers could gain access through TeamViewer, either through poor password protection or through the outdated Windows 7 program that used the facility.
All industrial organizations work with a symbiotic blend of information and operational technology – and cyber researchers have long hypothesized the kind of horrors that await in a world where evil actors can use the former to conquer the latter. Oldsmar certainly kicked that conversation into hyperdrive – sparking a broader conversation about how to protect America’s critical infrastructure.
Ultimately, the city’s security weaknesses aren’t that surprising either. State and local governments are long behind federal agencies and the private sector when it comes to security – a major reason why lawmakers pushed to reduce federal funding to state and local cybersecurity agencies. The Oldsmar Incident – combined with the shock waves of the ongoing SolarWinds scandal– has only fueled calls for more widespread investment in cyber security in the public sector, such as the new Biden administration has promised to deliver.