Serg Nvns - Fotolia
A cybersecurity advisory by the Massachusetts state government revealed key details about the security posture of the Oldsmar, Fla., water treatment plant, which was breached last week.
An unknown threat actor last Friday gained control of a SCADA system inside the Oldsmar plant via TeamViewer and attempted to remotely raise the amount of sodium hydroxide in the water to dangerous levels, though a plant operator stopped the attack. The Massachusetts cybersecurity advisory, posted to help local water suppliers guard against similar cyber attacks, stated that several computers in the Oldsmar plant had TeamViewer installed and all of those computers shared the same password for remote access. It's unclear if the threat actor obtained the single password and used it to access TeamViewer.
In addition, the computers were connected to the internet without firewall protection, and "all computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system," the advisory, which first reported by Ars Technica on Wednesday, read.
Recommended mitigations for other water suppliers offered by Mass. officials include using firewalls, restricting remote connections and the often-suggested utilization of two-factor authentication.
Oldsmar city officials did not immediately respond to SearchSecurity's request for comment.
The FBI issued a private industry notification Tuesday that offered their latest findings at the time and made a similar reference to poor password security -- though far less specific or definitive.
"The cyber actors likely accessed the system by exploiting cyber security weaknesses including poor password security, and an outdated Windows 7 operating system to compromise software used to remotely manage water treatment. The actor also likely used the desktop sharing software TeamViewer to gain unauthorized access to the system," the notification read.
At a House of Representatives Homeland Security Committee meeting Wednesday, former Cybersecurity and Infrastructure Security Agency (CISA) director Christopher Krebs was asked about the Oldsmar attack. Krebs referred to Oldsmar as likely "the rule rather the exception."
"That is not their fault. That is absolutely not their fault. These are municipal utilities that do not have sufficient resources to have robust security programs. That is just the way it goes. They don't have the ability to collect revenue at a rate enough to secure their deployments," Krebs said.
Krebs, who now runs infosec consultancy Krebs Stamos Group alongside former Facebook chief security officer Alex Stamos, also commented that while the nature of the Oldsmar threat actor is as of yet unknown, people should not immediately conclude the attacker is state-sponsored.
"It's possible that this was an insider or a disgruntled employee. It is also possible that it was a foreign actor. This is why we do investigations. But we should not immediately jump to a conclusion that it is a sophisticated foreign adversary. The nature of the technology deployment in Florida -- it is certainly not where any information security or operation security professional would like for that security posture to be," he said.
Krebs made multiple suggestions for state and federal government in their response to the attempted water poisoning, including more federal funding for municipal security programs and more training for employees.
Alexander Culafi is a writer, journalist and podcaster based in Boston.