Turns out that Florida water treatment facility left the doors wide open for hackers

By now, you’ve probably heard the theoretically scary story of how hackers managed to infiltrate the computer systems at a water treatment plant in Oldsmar, Florida and remotely control the chemical levels — but it turns out that description gives the hackers far, far too much credit.

The reality? The water treatment plant itself left off-the-shelf remote control software on these critical computers — and apparently never, ever bothered to change the password.

An official cybersecurity advisory about the incident from the state of Massachusetts (via Ars Technica) explains that the SCADA control system was accessed via TeamViewer, the kind of remote desktop application an IT administrator might roll out to remotely troubleshoot computers — not something you’d generally want hooked up to a critical system. More importantly, and here I will just quote the Massachusetts report verbatim:

Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.

Yes, just like Florida’s Department of Health, this Florida water treatment plant apparently didn’t bother to issue individual passwords for software that could give anyone complete access to any of their computers and their water treatment system.

In other words, any employee could adjust the entire town’s water supply on a whim from anywhere in the world. Which is probably what happened: former US cybersecurity czar Christopher Krebs testified earlier today that it was “very likely” an insider, possibly a disgruntled employee. Someone who would already have access, which wouldn’t make this much of a “hack” at all.

It’s not like the water treatment plant was even using that software, by the way: Pinellas County Sheriff Bob Gualtieri said the plant had actually stopped using TeamViewer six months ago, according to The Wall Street Journal, but still left it installed.

It should probably go without saying that you shouldn’t leave critical public infrastructure easily accessible from anywhere in the world, but the FBI is saying it anyhow, according to ZDNet; the agency sent out an alert today warning against TeamViewer, bad passwords and Windows 7, which Microsoft no longer supports with security updates but the water treatment plant still had installed.

Sadly, reports at Vice and Cyberscoop suggest that lax security (including TeamViewer specifically) and aging infrastructure are all too common at small public utilities, which may not have the budget, expertise or even the ability to control their own security systems, instead often farming them out to third parties.

The good news is that a plant operator quickly noticed the intrusion, reversed it, and it seems no one was harmed.

Repost: Original Source and Author Link


Hacker Tries to Poison the Water Supply of a Florida City

A computer hacker attempted to poison the water supply of a city in Florida, local police  on Monday, February 8.

The unknown perpetrator was able to remotely access the water treatment system of the city of Oldsmar — population 15,000 — on Friday, February 5, and increase the level of sodium hydroxide (also known as lye) by more than 100 times. The chemical is usually used in small quantities to control the water’s acidity, but if ingested in large amounts could cause burns and other problems.

An attentive plant operator noticed the increased levels of lye, prompting the worker to take action to bring the level back to normal.

Pinellas County Sheriff Bob Gualtieri said during a press conference on Monday: “The hacker changed the sodium hydroxide from about 100 parts per million to 11,100 parts per million.”

While the plant operator clearly did great work to spot the anomaly and take corrective action, Gualtieri said systems are already in place to automatically check for tainted water, so in theory the poisoned supply would never have reached residents’ homes.

“Importantly, the public was never in danger,” the sheriff said.

Offering more details about Friday’s attack, Gualtieri explained how the worker had been using software that controls the chemicals and other operations at the water treatment plant. The software allows for remote access to allow authorized users to troubleshoot any system problems that arise.

At about 1:30 p.m., the worker noticed that someone had accessed the computer system, with the remote operator moving the mouse around the screen to open various software that controls the treatment of the water. In the space of around four minutes, the worker saw that the remote operator started altering the amount of sodium hydroxide entering the water supply. The worker could see this happening in real time, prompting them to immediately reduce the level of the chemical back to the regular amount.

Law enforcement, including the FBI, are now investigating the hack to try to determine if it was carried out from within the U.S. or outside the country.

The incident will surely come as a shock to those in charge of critical infrastructure, and provides a wake-up call to ensure proper measures are in place to prevent hackers from causing potentially untold damage. Indeed, Oldsmar Mayor Eric Seidel said during the press conference: “The important thing is to put everybody on notice … to make sure that everyone realizes that these kind of bad actors are out there, it’s happening, so really take a hard look at [your defenses].”

Editors’ Choice

Repost: Original Source and Author Link

Tech News

Hacker almost poisoned a Florida city’s water supply

Mainstream media news about hackers often portrays them as petty criminals out to make a quick buck or unconscientious agents working at the behest of some nefarious organization or government. Often, the effects of their actions range from comical annoyances to frightening privacy invasions but only a few have been considered life-threatening on a large scale. Unfortunately, that was almost the reality that citizens of Oldsmar, Florida faced when a hacker tried to poison the entire city through its water supply.

It was Friday morning when an employee at the city’s water treatment plant noticed his computer’s mouse cursor moving on its own. Familiar with the normal use of remote access by authorized personnel, the employee didn’t mind it until the operator noticed the same incident later in the afternoon, this time using remote access to increase the amount of sodium hydroxide or lye in the water from 100 parts per million to 11,100 parts. Lye is used to regulate the PH balance of drinkable water in small quantities is poisonous to humans at higher levels.

The worst-case scenario, fortunately, didn’t occur as the operator quickly returned the levels back to normal before it could have any effect. Even if that much lye got out, the plant’s redundant systems would have alerted them to such a situation and it would take 24 to 36 hours before the tainted water would even reach the city’s population.

Regardless, the incident caused no small amount of concern from both local and federal authorities. This is perhaps one of the few instances of a publicly reported hacking incident that was intended to cause physical harm rather than just pilfering data. Last year, there were reports of a ransomware attack indirectly resulting in a German woman’s death due to delay, though the actual cause was later clarified to be unrelated.

Authorities are still investigating the incident and have yet to determine whether the attack was done locally, nationally, or even outside the country. Senator Marco Rubio (R-FL) has called on the FBI for assistance and wants it to be treated as a matter of national security.

Repost: Original Source and Author Link


Hackers tampered with a water treatment facility in Florida by changing chemical levels

Hackers successfully infiltrated the computer system controlling a water treatment facility in the city of Oldsmar, Florida, according to a report from the Tampa Bay Times. In doing so, the hackers were able to remotely control a computer to change the chemical levels of the water supply, increasing the amount of sodium hydroxide before a supervisor was able to catch the act in real time and revert the changes.

“At no time was there a significant adverse effect on the water being treated,” Pinellas County Sheriff Bob Gualtieri said during a press conference on Monday, which was later posted to YouTube. “Importantly, the public was never in danger.” Sodium hydroxide, commonly known as lye, is used in water to regulate acidity levels, the Tampa Bay Times reports, but in excess it can be dangerous to human beings because it’s the same inorganic compound used in corrosive household cleaners like Drano.

Although no one was injured, the incident is a disturbing example of hackers taking aim at public infrastructure with unclear intentions. Pinellas County is currently investigating the hack alongside the FBI and the Secret Service. Other nearby cities and towns have also been alerted to the potential threat.

It is not the first incident of water supplies being targeted — a water utility in Illinois was targeted by suspected Russian hackers in November of last year, while an attempted cyberattack on Israel last year that intelligence officials have linked to Iran involved attempts to manipulate the water supply, The Washington Post reported.

The Tampa Bay Times has a rather chilling anecdote in its report detailing the moment the remote plant operator noticed something was terribly wrong, when his mouse started moving on-screen without him touching it:

A plant operator was monitoring the system at about 8 a.m. Friday and noticed that someone briefly accessed it. He didn’t find this unusual, Gualtieri said, because his supervisor remotely accessed the system regularly.

But at about 1:30 p.m. the same day, Gualtieri said, someone accessed the system again. This time, he said, the operator watched as someone took control of the mouse, directed it to the software that controls water treatment, worked inside it for three to five minutes and increased the amount of sodium hydroxide from 100 parts per million to 11,100 parts per million.

The attacker left the system, Gualtieri said, and the operator immediately changed the concentration back to 100 parts per million.

The county says there are other safeguards in place that would have prevented direct harm to the 15,000 or so residents that rely on the Oldsmar plant for drinking water. For one, the water would have taken more than a day to enter the water supply, the sheriff says, meaning ample public warnings could have been issued in that time. There are also “redundancies in the system” that would have caught changes to the acidity of the water supply, the sheriff says.

Repost: Original Source and Author Link