Ride the Lightning

Breached Water Plant: Employees Used Same TeamViewer Password and No Firewall

February 17, 2021

Ars Technica reported on February 10 that the Oldsmar, Florida water treatment facility whose computer system experienced a potentially hazardous computer breach on February 5 used an unsupported version of Windows with no firewall and shared the same TeamViewer password among its employees.

Oldsmar is a city of about 15,000 people about 15 miles northwest of Tampa. After gaining remote access to a computer that controlled equipment inside the Oldsmar water treatment plant, the unknown intruder increased the amount of sodium hydroxide—a caustic chemical better known as lye—by a factor of 100. This act could have caused severe illness or death had it not been for safeguards the city has in place.

According to an advisory from the state of Massachusetts, employees with the Oldsmar facility used a computer running Windows 7 to remotely access plant controls known as a SCADA (supervisory control and data acquisition) system. Worse yet, the computer had no firewall installed and used a password that was shared among employees for remotely logging in to city systems with the TeamViewer application.

A private industry notification published by the FBI provided a similar assessment, saying "The cyber actors likely accessed the system by exploiting cyber security weaknesses including poor password security, and an outdated Windows 7 operating system to compromise software used to remotely manage water treatment. The actor also likely used the desktop sharing software TeamViewer to gain unauthorized access to the system."

This incident illustrates the lack of security found inside many critical infrastructure environments. In January, Microsoft ended support for Windows 7, which terminated security updates for the operating system. Windows 7 also is much less secure than Windows 10. The lack of a firewall and a password that was the same for each employee indicate that the department's security regimen was pretty darn terrible.

The breach occurred about 1:30 p.m., when an employee fortunately was watching the mouse on his city computer moving on its own as an unknown party remotely accessed an interface that controlled the water treatment process. The person on the other end changed the amount of lye added to the water from about 100 parts per million to 11,100ppm. Lye is used in small amounts to adjust drinking water alkalinity and remove metals and other contaminants. In larger doses, the chemical is a health hazard as noted above.

Christopher Krebs, the former head of the Cybersecurity and Infrastructure Security Agency, reportedly told a House of Representatives Homeland Security committee that the breach was "very likely" the work of "a disgruntled employee."

City officials said residents were never in danger because the change was quickly detected and reversed. Even if the change hadn't been reversed, the officials said, treatment plant personnel have redundancies in place to catch dangerous conditions before water is delivered to homes and businesses.

While all of that is a good thing, that water treatment plant was woefully insecure – and the likelihood is high that there are many other similarly ill-protected SCADA systems across the country.

Hat tip to Jeff Fox.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson