Inadequate Password Security Resulted in Recent Hack of Water Treatment Facility

Recent developments have surfaced concerning a cyber intrusion at a water treatment facility in Florida, which took place last Friday. This incident underscores the inadequacies in cybersecurity measures necessary for safeguarding critical infrastructure.

The breach involved an attacker’s attempt to dangerously increase sodium hydroxide levels in the water supply by remotely accessing the facility’s SCADA (supervisory control and data acquisition) system. Fortunately, the plant’s operator detected the intrusion in time and reversed the unauthorized command, mitigating potential consequences.

According to an advisory released by Massachusetts officials on Wednesday, unidentified cyber actors accessed the SCADA system using TeamViewer software installed on one of the plant’s connected computers. Alarmingly, these systems were operating on outdated 32-bit Windows 7, which has been unsupported since January 14, 2020. Moreover, these computers shared the same remote access password and were directly exposed to the Internet without any firewall protections.

This incident emphasizes a broader concern, as many small public utilities struggle with aging infrastructure and often find their IT departments underfunded and lacking the necessary expertise to effectively manage cybersecurity risks. This creates vulnerabilities that can be exploited by malicious actors.

State officials recommend placing restrictions on all remote connections to SCADA systems, particularly those allowing for physical control manipulation. Implementing unidirectional monitoring is advised for safely monitoring these systems externally. Furthermore, keeping all hardware and software, particularly SCADA and ICS software, updated and patched is essential. The importance of employing two-factor authentication with robust passwords cannot be overstated.

In tandem with this, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a separate alert highlighting the risks posed by cybercriminals utilizing desktop sharing software and targeting outdated operating systems. They further emphasized the need for protective measures, including independent cyber-physical safety systems, and advised configuring TeamViewer for manual activation, eschewing unattended access features.

This incident serves as a clarion call for organizations to bolster their cybersecurity infrastructure, as the implications of such vulnerabilities extend beyond individual facilities, impacting broader societal trust in essential services.