Hacked Florida water plant used same password for all computers
Monitoring system was connected directly to internet and used older version of Windows
The water treatment plant in Oldsmar, Florida that was hacked on February 5, was using an outdated Windows operating system and a single password for all its computers, it was revealed on Thursday.
An advisory released by authorities in Massachusetts said the hackers that infiltrated Florida's Bruce T Haddock Water Treatment Plant exploited weaknesses in the system: the computers used to monitor the water plant were connected directly to the internet, used an outdated Windows operating system and had the same software access password.
It confirmed that the unidentified hackers gained access to the plant's supervisory control and data acquisition system via remote access software programme TeamViewer.
“All computers used by water plant personnel were connected to the system and used the 32-bit version of the Windows 7 operating system,” it said. “Further, all computers shared the same password for remote access and appeared to be connected directly to the internet without any type of firewall protection installed.”
Windows 7 was released in 2009.
Massachusetts authorities obtained their information from the Federal Bureau of Investigation, the Department of Homeland Security, the US Secret Service and the Pinellas County Sheriff’s Office.
The FBI is running an investigation but has not yet identified the hackers, nor has it revealed if the attack was foreign or domestic.
After gaining remote access last Friday, the hackers raised the levels of sodium hydroxide in the water plant from about 100 parts per million to 11,100 parts per million for a few minutes, investigators told ABC.
But a plant manager who noticed the hack was able to thwart it before any serious damage occurred.
“The amount of sodium hydroxide that got in was minimal and was reversed quickly,” Pinellas County Sheriff Bob Gualtieri told Reuters on Monday. He called the hack “a wake-up call”.
In a column for The Hill this week, Chris Krebs, former director of the DHS Cybersecurity and Infrastructure Security Agency, said the hack showed how “dire the nation’s cybersecurity challenge is”.
“Unfortunately, that water treatment facility is the rule rather than the exception. When an organisation is struggling to make payroll and to keep systems on a generation of technology created in the last decade, even the basics in cybersecurity often are out of reach,” Mr Krebs said.
Teamviewer said it was running its own investigation into the hack.
Updated: February 12, 2021 11:31 AM