Oldsmar Water Plant Hacked, Authorities Downplay Danger
Around 1:30 p.m. on Friday, a plant operator at a water treatment facility in Oldsmar, Fla., noticed his mouse dash around his screen. For three to five minutes, police said, he tracked the arrow as it clicked open one software function after another until it finally landed on the controls to the water’s levels of sodium hydroxide, also known as lye.
Then, he watched the hacker who’d taken control of the system raise the levels of sodium hydroxide by more than 100 fold, according to police — a hazardous level that could sicken residents and corrode pipes.
The operator was able to quickly fix the levels moments after the hack, police said.
“At no time was there a significant adverse effect on the water being treated,” Pinellas County Sheriff Bob Gualtieri said Monday at a news conference. “Importantly, the public was never in danger.”
But the near miss incident was the latest alarming sign that critical infrastructure in the United States is vulnerable to cyberattacks. In July, the Cybersecurity and Infrastructure Security Agency warned that infrastructure like water and power plants, emergency services and transportation systems make “attractive targets for foreign powers attempting to do harm to U.S. interests or retaliate for perceived U.S. aggression.”
Since the beginning of the coronavirus pandemic, hospitals nationwide have seen a surge in cyberattacks. In December, it was revealed that Russian hacking groups were behind massive breaches at the U.S. Treasury and Commerce departments.
In a tweet on Monday, Sen. Marco Rubio (R-Fla.) said he was asking the FBI to “provide all assistance necessary” in the investigation into the Oldsmar attack. “This should be treated as a matter of national security,” he wrote.
In Oldsmar, a city northwest of Tampa with about 15,000 residents, a plant operator first noticed someone remotely accessing the computer system at around 8 a.m. on Friday. The employee didn’t think much of it, Gualtieri said, because supervisors commonly used the software — which the sheriff told Reuters is called TeamViewer — to “monitor the system.”
In a statement to The Washington Post, TeamViewer spokesman Patrick Pickhan said the company was aware of reports of the hack, are “monitoring the situation” and condemn “any malicious behavior” on its software.
How much you want to bet some manager at the plant had a dead simple TeamViewer password, or was in the habit of having the password written down or stored in clear text on their phone?Report
Well written down is not actually the problem a lot of IT people want it to be, unless you are also in the habit of showing it to people all the time.
Weak passwords are, however, another issue …Report
password=password.
The more interesting question is who did this? At a guess, disgruntled worker or someone who expects to get more budget from this.
On a side note passwords are a problem, I have 50+ of them, maybe 100+. They need to be different. They need to be long.Report
I use a password manager, and my employer encourages us to use a different password manager on our work machines.
I also wonder if the plant workstations are behind a VPN?Report
Or leaving it on your desk, where it’s easy to see/find (under the keyboard is a great one). Or stored in clear text on your phone (people have strange ideas regarding how secure phones are).Report
I use a password manager, and my employer encourages us to use a different password manager on our work machines.
I also wonder if the plant workstations are behind a VPN?Report
I have too many friends working in IT security to make those mistakes. Other mistakes, sure.Report
I worked in Academia IT too long to not be almost 99% certain the water plant was hacked because someone was sloppy with their password.Report
Related… what are your thoughts on the following:
1.) Chrome’s built-in password manager
2.) Apple’s built-in password manager
3.) A 3rd party password manager like LastPass (I think I know your feeling on that one because I vaguely remember you recommending it but could be wrong)
If you have hesitations about any of those, what would you recommend for someone wanting to secure passwords for mostly personal use (e.g., bank accounts, email, etc.).Report
Almost all of them are fine, but they are only as strong as your master password. And for that, I refer you to this wonderful XKCD comic.
Beyond that, it’s all about ease of use and what features you need. I like LastPass because it has features I find useful and I can run it almost everywhere.Report
LastPass has been my preferred one, though I have all three turned on and sometimes get annoyed when they start fighting with each other. But that is user error.
I could probably stand to pick a better master password. I mean, Password69 has worked thus far but…Report
Right up there with Maga2020!
I use phrases for my ‘have to remember it’ password, because it annoys dictionary attacks.
For instance, a few lines from a poem:
I took the one less traveled by,
And that has made all the difference.
becomes
Itt1ltbAthmatd!
Nice, long, meets all password requirements, and those two lines are easy to remember.Report
Great minds think alike – I do exactly the same, but use song lyrics, and a number that means something to me but to no one else (like my friend growing up -i.e. 35 years ago that I haven’t seen since the mid 80s- birthday)
And I use hints in my phone to remember like “Holophernes” is a key that I’m using the Hey Jude lyrics (Jude=Judith), and Alexander is a key for I’m using my friend’s birthdayReport
It’s something my old boss told me to do back when I first started in IT. Can’t have network admin passwords that are easy to guess or crack, but you also don’t want to be forgetting it all the time.Report
Yeah, first letter from the lyrics of an obscure song plus something odd tacked on to the end to make the password-strength checkers happy.Report
I prefer post-it notes affixed to my monitor.Report
“password1234”
I wonder if it will come out this was a white-hat hacker, showing them their insecurities, and he’d never actually poison people. Or maybe I’m being too PollyannaReport
That’s more of a Grey-Hat kind of thing. IIRC, white-hats are under contract.Report
This – right here this – is why the IOT is so worrisome. And don’t think turning it all off won’t be a goal of domestic terrorists at some point.Report
I hope there remains a market for things like low-end fridges and that like that DON’T connect to the internet; I have no interest in some goofball being able to turn my house lights off and on for the lulz just because I decided it was easier to control them from my phone than to throw a manual switchReport
One of my projects this week is to connect the Nest thermostat that came with the townhouse so that my wife can say, “Alexa, turn the temperature up two degrees.” Can you say, “Terrified,” boys and girls?Report
This is one of two reasons we have not replaced the side by side refrigerator we have and the wife dislikes.Report
Back in the 1960s, when the Bell System began deploying switches and other telecommunications gear that could be monitored and controlled remotely, they accepted Bell Labs’ word that the computers doing the control must never be connected to a public network. It’s expensive — in this case, you would have to physically go into the water treatment plant in order to adjust the settings, or have appropriate staff on site 24/7.
I expect to live long enough to see major utilities crash and burn because remote control over the public internet was cheaper.Report
My favorite story from my colleagues who administer large internet backbone networks is the guy who mistyped a command — in a Denver suburb — and disconnected most of the UK from the global internet. To reverse that error, someone in the UK got a phone call at 2:00 am local time and had to drive 90 minutes so they could physically touch the router.Report
The lack of awareness regarding IT security at utilities makes me want to line my roof with solar panels and keep a large tank of fresh water in the attic.Report
I have a friend in far western North Carolina who has installed a large genset. During a recent power outage — natural causes — he described their house as “an island of light in the sea of dark.” He has doubled his propane capacity and is now set up to handle a week if they are careful.
OTOH, I recently moved to an area served by a sizeable municipal power coop, leaving my previous private sector utility. After four months and a bit, the power has been so steady that I haven’t bothered putting the UPS on my desktop Mac.Report
Your friend might want to think about his basking in the glow . . . should any of the SHTF scenarios involving massive grid outages come to pass, his lights will attract all sorts of people . . .Report
that’s what blackout curtains are for….Report
In a SHTF scenario, I’m pretty sure that he won’t be an island of light in the dark. He’ll be down to minimum usage. Keeping the freezer running until it’s empty, etc.
The genset he got and the propane expansion are overengineering typical of him. What he wants to deal with are the (not revealed at the time they bought the house and land) three or four times per year the power is out for two to twelve hours.
The municipal utility that provides the power in our new place has the most flawless supply I’ve ever lived with. In the four months we’ve been here, the appliance timers have never reset. Hell, so far as I’ve noticed, the lights have never even flickered. I will put my desktop computer on the UPS one of these days, just to have it on the massive surge protector before the first thunderstorm season gets here.Report
Ars Technica reports that the computer involved in the attack was running Windows 7 (Microsoft dropped support last month), there was no firewall, and the password was shared by multiple users.Report
OMFG! If that wasn’t so damn scary, I’d be LMFAO! This is the kind of thing people should get fired for.Report
Windows 7 was a decent OS. For maximum comedy, they should have run Vista. And stored their most sensitive data in Access.Report
Still, I put this in the “Those who do not study UNIX are doomed to reinvent it, badly” category. The control application running on a $40 Raspberry Pi using X Windows over ssh and standard login/password security would have been enormously better. Other than the Pi, that’s all quarter-century old technology.
I have reconciled myself to the fact that when my utilities’ systems all come crashing down, it will be because it wasn’t running on some form of UNIX.Report
Oldsmar is a small town. I’d be surprised of the water plant had its own IT manager. They probably get IT support from the larger DPW – and that’s not a large outfit either. They aren’t going to have dozens of people with the latest certificates running this stuff 24/7 the same way DoD does.Report
You don’t need dozens of folks with the latest certificates to know that’s a disaster waiting to happen.
It might be too much to ask that they have a VPN. Perhaps a basic firewall is a bridge too far.
But not allowing shared passwords/accounts is basic fecking IT security. I mean, come on!Report