The Florida water therapy facility whose laptop system skilled a probably hazardous laptop breach final week used an unsupported model of Home windows with no firewall and shared the identical TeamViewer password amongst its staff, authorities officers have reported.
The pc intrusion happened last Friday in Oldsmar, a Florida metropolis of about 15,000 that’s roughly 15 miles northwest of Tampa. After gaining distant entry to a pc that managed tools contained in the Oldsmar water therapy plant, the unknown intruder elevated the quantity of sodium hydroxide—a caustic chemical higher often known as lye—by an element of 100. The tampering may have precipitated extreme illness or dying had it not been for safeguards the town has in place.
Watch out for lax safety
In accordance with an advisory from the state of Massachusetts, staff with the Oldsmar facility used a pc working Home windows 7 to remotely entry plant controls often known as a SCADA—quick for “supervisory management and knowledge acquisition”—system. What’s extra, the pc had no firewall put in and used a password that was shared amongst staff for remotely logging into metropolis programs with the TeamViewer software
Massachusetts officers wrote:
The unidentified actors accessed the water therapy plant’s SCADA controls through distant entry software program, TeamViewer, which was put in on one among a number of computer systems the water therapy plant personnel used to conduct system standing checks and to answer alarms or some other points that arose throughout the water therapy course of. All computer systems utilized by water plant personnel have been related to the SCADA system and used the 32-bit model of the Home windows 7 working system. Additional, all computer systems shared the identical password for distant entry and gave the impression to be related on to the Web with none sort of firewall safety put in.
A personal trade notification revealed by the FBI offered an identical evaluation. It stated:
The cyber actors possible accessed the system by exploiting cyber safety weaknesses together with poor password safety, and an outdated Home windows 7 working system to compromise software program used
to remotely handle water therapy. The actor additionally possible used the desktop sharing software program TeamViewer to realize unauthorized entry to the system.
Workers in Oldsmar’s water therapy division and metropolis supervisor’s workplace didn’t instantly reply to telephone messages in search of remark for this put up.
Sins and omissions
The revelations illustrate the shortage of safety rigor discovered inside many essential infrastructure environments. In January, Microsoft ended support for Windows 7, a transfer that ended safety updates for the working system. Home windows 7 additionally offers fewer safety protections than Home windows 10. The dearth of a firewall and a password that was the identical for every worker are additionally indicators that the division’s safety routine wasn’t as tight because it may have been.
The breach occurred round 1:30pm, when an worker watched the mouse on his metropolis laptop transferring by itself as an unknown occasion remotely accessed an interface that managed the water therapy course of. The particular person on the opposite finish modified the quantity of lye added to the water from about 100 elements per million to 11,100 ppm. Lye is utilized in small quantities to regulate ingesting water alkalinity and take away metals and different contaminants. In bigger doses, the chemical is a well being hazard.
Christopher Krebs, the previous head of the Cybersecurity and Infrastructure Safety Company, reportedly told a Home of Representatives Homeland Safety committee on Wednesday that the breach was “very possible” the work of “a disgruntled worker.”
Metropolis officers stated residents have been by no means in peril, as a result of the change was rapidly detected and reversed. Even when the change hadn’t been reversed, the officers stated, therapy plant personnel have redundancies in place to catch harmful situations earlier than water is delivered to properties and companies.
The shared TeamViewer password was reported earlier by the Related Press.