What We Can Learn from the Attempted Attack on a Florida Water Treatment Plant
A failed attempt to poison the water at a Florida treatment plant serves as a jarring reminder of the dangers of weak cybersecurity.
A recent attack on a water treatment plant in Oldsmar, Florida is serving as an unsettling reminder of the dangers of insufficient cybersecurity. Although the attack was fortunately stopped in time, if the hacker had succeeded the consequences would have been devastating. The hacker’s aim was to take control of the plant’s network and poison an underground water reservoir that delivers drinking water to 15,000 people.
As US law enforcement officials continue to investigate the hacker’s attempt, cybersecurity professionals are calling this incident yet another wake-up call for city governments, who need to examine their role in protecting critical infrastructure from cyber attackers. While nearly everyone is familiar with the threat of data breaches, this attack is an important reminder that there is no ethical line a hacker won’t cross, which means anyone could be at risk.
While disaster was averted this time around, there’s no telling where or when the next attack will occur — or if officials will be lucky enough to stop it in its tracks. Government leaders need to use this incident as an opportunity to learn from the Oldsmar plant’s mistakes and take steps to strengthen their own cybersecurity measures.
Narrowly Avoiding Disaster
The breach that occurred in Florida is the kind of attack cybersecurity experts have been warning about for years. The most troubling thing about the events in Oldsmar is that they could have happened in any number of cities whose cybersecurity is similarly weak.
In Oldsmar, all of the city’s cybersecurity systems — including the water treatment plant’s — are managed by one man, meaning IT support is thin on the ground. All the hacker needed to do to get access to the plant was to log in to the plant’s TeamViewer account (which lets remote users take full control of a computer). From there, they were able to open and toy with a program that sets the chemical content for the underground water reservoir, raising the levels of lye in the water from 100 to an extremely hazardous 11,100 parts per million.
Fortunately, the facility had backup alarms to measure unsafe chemical levels in place, so they were able to catch the breach before the water was affected, but the hackers were still briefly able to order the plant to poison the water.
How Cybersecurity Failed
There were three main factors that made it easy for hackers to gain access to the Oldsmar water treatment plant. First, the compromised computer was running an outdated Windows 7 operating system. As of January 14, 2020, Microsoft had stopped offering software and security updates or technical support for Windows 7, warning users that while they could continue using PCs with the operating system, they would be at much higher risk for malware and viruses. Despite that warning, the plant continued to run the system.
The second factor was that staff all used the same password for remote access through the TeamViewer application as well as on all the plant’s computers. The third factor was that all the plant’s computers were connected directly to the Internet without any type of firewall protection in place.
Unfortunately, these kinds of cybersecurity vulnerabilities are far too common when it comes to essential infrastructure. Water treatment plants in particular tend to have very weak protection due to a dearth of IT technicians. Most only have one or two IT techs on staff at most, who are usually too overwhelmed to take the steps they know are necessary to stay cyber secure.
Taken together, all these factors mean that much of the essential infrastructure that we rely on for daily life is vulnerable to attacks. And these breaches could come from anywhere — anyone from a disgruntled former employee to a foreign government-sponsored actor could potentially hack into an unprotected system.
The Lesson from Florida: It’s Time to Ramp up Cybersecurity
For years, federal officials have worried about a “cyber Pearl Harbor.” That level of disaster may have been averted this time around, but there’s no guarantee that officials will be that lucky a second time.
The Florida attack needs to be a wakeup call for government officials across the country. With a new COVID-19 stimulus package on the way — and $350 billion in aid promised to state and local governments — now is the perfect time to act. Officials need to make cybersecurity for essential infrastructure a priority, allocating their relief money for essential tech investments.
For city governments looking to make the most of their tech investments, the best choice is to turn to a cybersecurity partner that can help identify vulnerabilities and determine which investments will have the greatest impact. At Turn-key Technologies, Inc. (TTI), our cybersecurity experts are ready to be those partners. With more than 30 years of experience in the field, we have the knowledge to help you protect your essential infrastructure and keep your citizens safe.
Contact us today to learn more about how TTI can help you prevent attacks like the one in Florida.
By Craig Badrick