THANK YOU FOR SUBSCRIBING
That strong cybersecurity is essential for critical infrastructure isn’t news. Recent events have dramatically illustrated its importance though.
On February 5, 2021 the Haddock Water Treatment Plant in Oldsmar, Florida was hacked. The hacker may have used compromised login credentials found in a compilation of over 3.2 billion breached credentials posted a few days earlier on the dark web.
The hacker remotely accessed a computer in the water treatment plant using remote access software called TeamViewer.Once logged into the computer the hacker began to move the mouse pointer around the screen. The computer operator noticed the movement, but assumed it was his supervisor accessing his machine to obtain the system status (apparently a common occurrence).
The Oldsmar attack did not succeed in its apparent goal to harm the citizens of Oldsmar but it succeed in highlighting some serious weaknesses in the water treatment plant’s cybersecurity
Later in the day the hacker accessed the computer again. The hacker then increased the level of sodium hydroxide(lye) in the water from the normal 100 parts per million to 11,100 parts per million.That concentration of lye would harm anyone who drinks the water. Fortunately, the computer operator saw what happened and immediately reversed the change.
The Oldsmar attackdid not succeed in its apparent goal to harm the citizens of Oldsmar. The attack didsucceed in highlighting some serious weaknesses in the water treatment plant’s cybersecurity. Those weaknesses are shared by many other companies.
The operational technology, i.e. the supervisory control and data acquisition (SCADA) computer systems used to run the water treatment processes, were accessible from the Internet. Had the systems been isolated from the Internet the hacker would not have been able to launch the cyber-attack.
The hacker took advantage of the TeamViewer software installed on the plant’s computer systemto access the computer system despite the fact that the plant no longer used that software. The plant simply neglected to remove the software when it was no longer needed.
The water treatment plant used the same password for all of its computers. This allowed the hacker to access any computer in the plant.
The plant’s SCADA systems were connected to computers running Windows 7.Official support for Windows 7 ended on January 14, 2020. The end of support means that Microsoft will not create updates to Windows 7 after that date. Because threat actors continue to identify and exploit weaknesses in Windows even after official support ends, it is essential for companies to transition from end-of-life software to current supported versions.That is the only way to ensure that future vulnerabilities are addressed.
Two-factor authentication was not implemented at the plant. Two-factor authentication typically requires something the user knows, e.g. a password, and something the user has, such as a security token, text message on a mobile phone, or a code obtained from a smart phone authentication app. The cybersecurity of computer systems that lack multifactor authentication is increasingly viewed as deficient and substandard. That is the position many cyber insurers take today. If the Oldsmar water treatment plant required two factor authentication, unless the hacker was a disgruntled employee with authorized access to the system, the attack likely could have been prevented.
Although the Oldsmar attack was directed against a water utility, it is easy to imagine a similar attack against other businesses. SCADA equipment used by manufacturers may not have been designed with cybersecurity in mind. It is also possible that the firmware in such equipment and/or the software used to operate it has not been updated to eliminate known vulnerabilities. The risk posed by those vulnerabilities is amplified significantly if SCADA systems are accessible from the Internet. Many companies are also still using end-of-life software and operating systems. Despite its proven ability to defeat cyber attacks, two-factor authentication hasn’t yet been adopted as broadly as it needs to be.
Every company, especially those providing critical infrastructure, needs to learn the lessons the Oldsmar attack teaches. A failure to do so may lead to very expensive consequences, and in the worst case to significant property damage and injuries to people.