Earlier this month, hackers successfully carried out an attack against an Oldsmar, Florida water treatment facility, coming awfully close to poisoning the water supply. Attackers were able to access the water treatment plant’s Supervisory Control and Data Acquisition (SCADA) systems remotely and increase the levels of sodium hydroxide that is added to the water from 100 parts per million to 11,100 parts per million. In small doses this chemical is safe to consume. Fortunately, the change was discovered immediately by an employee and they were able to reverse the change, prior to any modifications in the levels of sodium hydroxide.
How did they do it?
The water treatment plant is running Windows 7 operating system on its computers. This is an outdated, unsupported operating system which had not received any updates in over a year. Attackers were able to compromise the computers due to the outdated systems which are affected by multiple known vulnerabilities. This resulted in unauthorized access to the systems. The computers had also been utilizing TeamViewer, a remote access software, to administer the machines as needed and respond to alerts. All the computers on the network that used TeamViewer utilized the same password and allowed anyone from the internet to access these systems. A recent data breach database that was leaked in 2017 contained passwords that matched the domain of ci.oldsmar.fl.us. It is believed the attackers used these passwords to gain access via TeamViewer. Once attackers had gained access via the outdated operating system, they used this software to remotely access the desktop and modify the sodium hydroxide levels.
What to do?
If your organization is hosting critical infrastructure, like SCADA or Cardholder Data Environments (CDE) for PCI, it’s crucial to:
- Properly segment these systems from non-critical networks.
- Ensure all operating systems in use, across all networks, are supported by the vendor and receiving and applying regular security patches.
- Regular testing to check for proper segmentation should be done to validate the security access controls in place are sufficient to limit access to critical infrastructure.
- Limit the types of software allowed on your systems.
- Eliminate all local administrator accounts to enforce the principle of least privilege.
- Have a strong password policy that is strictly enforced for all types of accounts.
nGuard has broad experience helping to secure all types of critical infrastructure organizations, including energy. By leveraging penetration testing, managed security solutions and Cyber Security Incident Response, we can help your organization become secure and meet your compliance goals.