The Florida city’s water treatment facility that was the target of a hack last week that could have resulted in harmful chemicals being released to the public was running Windows 7 and practiced poor password security, according to news reports.
The news comes just days after the disclosure of the hack in Oldsmar, Fla., in which a malicious actor attempting to alter levels of sodium hydroxide and increase it to more than 100 times its normal level. System operators noticed the intrusion and stopped any further compromise, but the ease with which the attacker infiltrated the computer system raised concerns among officials.
According to new information from officials in Massachusetts, the cyber defenses of the plant were sub par and relied on unsupported operating systems, and the operators had poor cybersecurity habits.
As was reported before, the unidentified actor accessed the plant’s supervisory control and data acquisition (SCADA) system via remote access software TeamViwer. According to the advisory from Massachusetts, the software was installed on one of several computers the plant personnel used to check the system status and respond to alarms.
Alarmingly, all operators used the same password for that software, per the alert.
All computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system. Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.
Microsoft stopped supporting Windows 7 more than a year ago on Jan. 14, 2020, and strong password security is step one in basic cybersecurity. For those charged with maintaining such a vital resource like water, network security should be top of mind.
However, that’s not the case, as there are thousands of separate water suppliers in the U.S., each operating with a different set of tools, standards and practices.
Chris Krebs, the former director of the U.S. Cybersecurity and Infrastructure Agency, told the U.S. House Homeland Security Committee yesterday that this could be a disgruntled worker or a foreign actor. In the former case, a former employee should never be able to access their former employer’s network.
In addition to constant updates and security patches, municipal IT professionals or administrators for public water suppliers should take these following steps:
- Restrict all remote connections to SCADA systems, specifically those that allow physical control and manipulation of devices within the SCADA network. One-way unidirectional monitoring devices are recommended to monitor SCADA systems remotely.
- Install a firewall software/hardware appliance with logging and ensure it is turned on. The firewall should be secluded and not permitted to communicate with unauthorized sources.
- Keep computers, devices, and applications, including SCADA/industrial control systems (ICS) software, patched and up-to-date.
- Use two-factor authentication with strong passwords.
- Only use secure networks and consider installing a virtual private network (VPN).