Hacked Florida Water Plant Reportedly Had No Firewall and Poor Password Security

Hacked Florida Water Plant Reportedly Had No Firewall and Poor Password Security
Photo: Justin Sullivan, Getty Images

The water plant in Oldsmar, Fla. targeted by a hacker in a horrifying cyberattack last week is said to have exhibited very weak IT security practices. Recent updates from government authorities claim the facility did not have some basic network protections — including a firewall.

In case you missed it, a hacker allegedly hijacked the plant’s operational controls on Friday, temporarily driving up the sodium hydroxide content in the water to poisonous levels. The facility is the primary source of drinking water for the city’s 15,000 residents. Though a plant operator was ultimately able to return the water to normal levels, the incident has nonetheless launched a conversation about the state of security in America’s critical infrastructure.

Like many facilities of its kind, Oldsmar uses a SCADA (short for “supervisory control and data acquisition system”) that allows staff to monitor and control conditions within the facility. At the same time, the staff has also been using TeamViewer, a fairly common remote access program, which can be used to monitor and control systems within the SCADA.

According to a new cybersecurity advisory from the state of Massachusetts, the plant’s protections for these systems left something to be desired. Not only was the facility using Windows 7 — an outdated software that Microsoft no longer supports — but all of its employees apparently shared the same password to access TeamViewer. On top of this, the advisory claims that the facility “appeared to be connected directly to the Internet without any type of firewall protection installed.”

Yes, not exactly a five-star review. The FBI reiterated this poor assessment on Wednesday, which released an alert to private industry leaders regarding the Oldsmar incident. The Bureau stated that hackers no doubt exploited the facility’s “cybersecurity weaknesses” and warned businesses against similar practices:

“The cyber actors likely accessed the system by exploiting cybersecurity weaknesses, including poor password security and an outdated Windows 7 operating system to compromise software used to remotely manage water treatment. The actor also likely used the desktop sharing software TeamViewer to gain unauthorised access to the system.”

Both the FBI and the Massachusetts advisory seem to confirm that the hackers were able to gain entry through TeamViewer, crawling in either via poor password security or the outdated Windows 7 program the facility was using.

All industrial organisations operate with a symbiotic intermix of informational and operational technology — and cyber researchers have long hypothesised about the kinds of horrors that await in a world where bad actors can use the former to commandeer the latter. Oldsmar has certainly kicked that conversation into hyperdrive — spurring a broader conversation about how to protect America’s critical infrastructure.

Ultimately, the city’s security weaknesses are also not all that surprising. State and local governments have long lagged behind federal agencies and the private sector when it comes to security — a central reason why legislators have been pushing to drive federal funding downward to state and local agencies for cybersecurity. The Oldsmar incident — combined with the shockwaves from the ongoing SolarWinds scandal — has only further spurred calls for more general investment in public sector cybersecurity, which the new Biden administration has promised to make good on.