Florida City's Water Hack: Poor IT Security Laid BareOldsmar Used Windows 7, Shared TeamViewer Password, Didn't Have a Firewall
When officials in Oldsmar, Florida, announced on Monday that a hacker had tried last week to increase the amount of lye in the city's water treatment system, the focus quickly turned to how the city managed remote access to the system.
Reuters revealed that the city, which is about 17 miles northwest of Tampa, used TeamViewer software to remotely access the system that adjusts the amount of chemicals in the water (see: 5 Critical Questions Raised by Water Treatment Facility Hack).
Like other small towns, Oldsmar likely faces budget restrictions, which puts it in the difficult position of balancing scarce resources. But the hack shows that despite the increased focus on industrial control system and SCADA security, a calamity could be a ghostly mouse click away.
The city hasn't yet revealed more details, but Oldsmar's IT security problems have been laid bare in an advisory issued by the state of Massachusetts to its own water treatment plants, as reported by The Associated Press.
And if you suspected that Oldsmar's IT security controls were substandard, then you were correct.
The Massachusetts advisory says all of the computers at the Florida plant were network-connected to the supervisory control and data acquisition - aka SCADA - controls, and all were running 32-bit versions of Windows 7. Microsoft officially ended support for Windows 7 on Jan. 14, 2020, which means that the operating system will receive no more standard security updates.
But the story gets worse. The advisory about Oldsmar says that "all computers shared the same password for remote access and appeared to be connected directly to the internet without any type of firewall protection installed."
Numerous possibilities exist for how a hacker may have ended up commandeering Oldsmar's TeamViewer software, and none of them would have been difficult.
The city's poor IT security stance, however, may actually come as a relief as concern grows over the safety of critical infrastructure. Oldmar's situation lies in the realm of the lowest of the low-hanging fruit.
As cybersecurity journalist Brian Krebs notes in an analysis on Wednesday, the majority of water treatment plants in the U.S. likely rely on remote access software because they aren't always staffed.
Nonetheless, Oldsmar's errors posed a high risk, and they have rightly raised new alarms about the controls at other water treatment plants across the U.S.
In a press conference on Monday, Pinellas County Sheriff Bob Gualtieri said an operator at the treatment plant noticed his mouse pointer moving around 8 a.m. on Friday (see: Hacker Breached Florida City's Water Treatment System).
That wasn't unusual, as Gualtieri said other operators remotely logged into the system to manage it. But around 1:30 p.m., the operator noticed someone again in the system. The hacker then increased the level of lye, aka sodium hydroxide, from 100 parts per million to 11,100 parts per million. Lye, a main ingredient in drain cleaner, is used in much lower concentrations at treatment plants to make water less acidic.
At Oldsmar's plant, changes to the lye level can take 24 to 36 hours to take effect, so the public was not in danger. The operator immediately reversed the change and notified officials, who locked down all remote access and alerted law enforcement agencies.
Brush With Danger
The identity of whoever launched the attack remains unknown; the FBI and U.S. Secret Service are investigating. Gualtieri said on Monday that officials were unsure if the breach came from within the U.S. or from overseas.
Theories of who was responsible for the hack range from a disgruntled employee to a script kiddie to a nation-state hacker. Oldsmar, a city of fewer than 15,000 people, would hardly seem to be on the radar of nation-state attackers. The circumstances of the takeover smack of opportunism, perhaps spurred by an intriguing search with the IoT device search engine Shodan. A more careful hacker also wouldn't have tried to fiddle with controls during working hours.
At the Monday press conference, city officials acknowledged that they were aware of the cybersecurity concerns around critical infrastructure and the potential - even for a small city such as Oldsmar - to be affected.
City Manager Al Braithwaite said: "I think we anticipated that this day was coming. We talk about it, we think about it, we study it."
When the day came, though, the city wasn't ready. As a backstop, water-testing systems were in place that would have - in theory - alerted that there was an excess level of lye in the system before the water transited into the main system.
But the incident shows that despite cybersecurity experts urging everyone to increase their focus on industrial control system and SCADA security, a brush with danger could be a ghostly mouse click away.