Lessons Learned from the Florida Water Treatment Plant Hack

In the first week of February 2021, the water treatment center for the city of Oldsmar Florida was the victim of a cyberattack. The attackers took advantage of remote access systems on the water treatment plant’s network to change the mix of chemicals entering the water.

Their attempt to increase the amount of sodium hydroxide in the water by 111x would have made the water dangerous to drink if successful. The attack was only averted because an employee noticed the change and reverted it before it could cause any damage.

What Went Wrong?

The Oldsmar water treatment plant hack is horrifying but not surprising. Critical infrastructure has suffered many intrusions in recent years, and the only difference between these and Oldsmar’s is that they were “proof of concept” rather than an attempt to do actual damage. The hack of the Oldsmar water treatment plant was made possible by a number of security errors, many of which are commonplace in the industry.

Remote Access to Critical Infrastructure

The attacks against the Oldsmar water treatment center took advantage of the common use of Teamviewer for remote control of these systems. The employee whose computer was used to change the settings on the water system detected access long before these settings were changed. However, he believed that the remote user was a supervisor remotely monitoring the system, which is common.

This use of remote access solutions for critical infrastructure contributed significantly to making this attack possible. Instead of “air gapping” critical systems - which used to be common practice - the control systems for the water treatment center were directly connected to the IT network, which is accessible from the public Internet. While this simplifies management of the systems, it also introduces new cyber risks.

Insecure and Outdated Systems

Another major issue with the water treatment center’s security is that it was using outdated systems and not following basic cybersecurity best practices. All computers used by the water treatment center’s personnel were running Windows 7, which has not been supported by Microsoft for over a year. Additionally, these systems were not protected by a firewall, making it far easier to exploit them remotely.

The use of Windows 7 is troubling but did not contribute to this attack. However, the lack of a firewall was crucial to the success of the Oldsmar attack. Teamviewer can use a custom port (5938) or HTTP-based tunneling for remote control. If a firewall was deployed to block traffic on these ports to the water treatment plant employees’ computers from outside the internal network, then performing this attack would have been much more difficult.

Numerous Access Control Failures

The use of Teamviewer - while dangerous - is not enough to make this attack possible. Gaining remote access to the water treatment plant required the attackers to gain access to a legitimate Teamviewer account.

A number of different access control issues made this possible:

• Shared Passwords:
  The TeamViewer software used in the attack had a single password shared by all users. This dramatically increases the probability of the password being compromised or easily guessable.
• Breached Passwords:
  Analysis after the attack revealed that eleven sets of credentials associated with the Oldsmar water treatment plant were compromised in a 2017 data breach, and thirteen were included in an aggregation of breaches (called COMB) revealed earlier this month. While it is not proven that the TeamViewer credentials were included in COMB, it is likely that they are and that COMB’s publication inspired the attack.
• Lack of Multi-Factor Authentication:
  TeamViewer supports multi-factor authentication (MFA), which makes it harder for compromised credentials to be used to access an account. The success of this attack indicates that MFA was not enabled in this case.

In combination, these factors made it trivial for an attacker to gain remote access to the water treatment plant and modify the chemical mixture of the town’s drinking water.

Securing Critical Infrastructure

The attack against Oldsmar is far from the first cyberattack against US critical infrastructure. However, the fact that it was so nearly successful - and the harm it could have caused if not detected and reversed - underscores the importance of implementing strong cybersecurity for critical infrastructure (and digital systems in general).

Most people don’t have control over their network architecture or the computers used for their job. However, one of the biggest failings behind the Oldsmar water treatment plant hack was poor password security, which people can control. There are systems - like Ghostvolt - that actively try to prevent the use of breached passwords and tools - like password managers - that do the work of creating, remembering, and filling in strong passwords for you. Take advantage of these resource and decrease your exposure to hacks like this one.