By now, you’ve probably heard the theoretically scary story of how hackers managed to infiltrate the computer systems at a water treatment plant in Oldsmar, Florida and remotely control the chemical levels — but it turns out that description gives the hackers far, far too much credit.
The reality? The water treatment plant itself left off-the-shelf remote control software on these critical computers — and apparently never, ever bothered to change the password.
An official cybersecurity advisory about the incident from the state of Massachusetts (via Ars Technica) explains that the SCADA control system was accessed via TeamViewer, the kind of remote desktop application an IT administrator might roll out to remotely troubleshoot computers — not something you’d generally want hooked up to a critical system. More importantly, and here I will just quote the Massachusetts report verbatim:
Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.
Yes, just like Florida’s Department of Health, this Florida water treatment plant apparently didn’t bother to issue individual passwords for software that could give anyone complete access to any of their computers and their water treatment system.
In other words, any employee could adjust the entire town’s water supply on a whim from anywhere in the world. Which is probably what happened: former US cybersecurity czar Christopher Krebs testified earlier today that it was “very likely” an insider, possibly a disgruntled employee. Someone who would already have access, which wouldn’t make this much of a “hack” at all.
In later remarks, @C_C_Krebs clarifies: “It’s possible that this was an insider or a disgruntled employee. It’s also possible that it’s a foreign actor.” … But “we should not jump to a conclusion that it’s a sophisticated” adversary.
— Ellen Nakashima (@nakashimae) February 10, 2021
It’s not like the water treatment plant was even using that software, by the way: Pinellas County Sheriff Bob Gualtieri said the plant had actually stopped using TeamViewer six months ago, according to The Wall Street Journal, but still left it installed.
It should probably go without saying that you shouldn’t leave critical public infrastructure easily accessible from anywhere in the world, but the FBI is saying it anyhow, according to ZDNet; the agency sent out an alert today warning against TeamViewer, bad passwords and Windows 7, which Microsoft no longer supports with security updates but the water treatment plant still had installed.
Sadly, reports at Vice and Cyberscoop suggest that lax security (including TeamViewer specifically) and aging infrastructure are all too common at small public utilities, which may not have the budget, expertise or even the ability to control their own security systems, instead often farming them out to third parties.
The good news is that a plant operator quickly noticed the intrusion, reversed it, and it seems no one was harmed.