Hacked Florida Water Plant Reportedly Poor Password Security

The water plant in Oldsmar, Florida. targeted by a hacker in a horrific cyber attack Last week it was said that computer security practices are very weak. Recent updates from government officials claim that the facility lacked some basic network protections, including a firewall.

In case you missed it, a hacker allegedly hijacked the plant’s operational controls on Friday, temporarily raising the sodium hydroxide content in the water to toxic levels. The facility is the main source of drinking water for the city’s 15,000 residents. Although a plant operator was ultimately able to bring the water back to normal levels, the incident nonetheless sparked a national conversation about the state of security in America’s critical infrastructure.

Like many installations of this type, Oldsmar uses a SCADA (short for “supervisory control and data acquisition systemWhich allows staff to monitor and control conditions in the facility. At the same time, the staff also used TeamViewer, a fairly common remote access program, which can be used to monitor and control systems within the SCADA.

According to a new cybersecurity advisory from the state of Massachusetts, the plant protections for these systems left something to be desired. Not only did the installation use Windows 7, outdated software that Microsoft no longer supports—But all of his employees apparently shared the same password to access TeamViewer. Additionally, the advisory claims that the installation “appeared to be connected directly to the Internet with no type of firewall installed.”

Yes, not exactly a five star review. The FBI reiterated the poor assessment on Wednesday, which issued an alert to private sector executives regarding the Oldsmar incident. The Bureau declared that the hackers undoubtedly exploited the facility’s “cybersecurity weaknesses” and warned companies against similar practices:

“Cyber ​​actors likely entered the system by exploiting weaknesses in cybersecurity, including poor password security and an outdated Windows 7 operating system to compromise software used to remotely manage water treatment. The actor also likely used TeamViewer desktop sharing software to gain unauthorized access to the system. “

The FBI and the Massachusetts advisory appear to confirm that the hackers were able to enter through TeamViewer, crawling through poor password security or the outdated Windows 7 program the facility was using.

All industrial organizations operate with a symbiotic mix of information and operational technologies – and cyber researchers have long speculated about the kinds of horrors that await in a world where bad actors can use the former to requisition the latter. Oldsmar certainly kicked off that conversation in hyperdrive – sparking a larger conversation about how to protect America’s critical infrastructure.

In the end, the city’s security weaknesses aren’t all that surprising either. State and local governments have long lagged behind federal and private sector agencies on security – a major reason lawmakers have pushed lower federal funding to state and local agencies for cybersecurity. The Oldsmar incident – combined with the shockwaves of SolarWinds scandal in progress– only sparked calls for more general investment in public sector cybersecurity, than the new Biden administration promised to hold on.