On Feb. 8, the Oldsmar water treatment plant in Florida came under cyberattack via a remote access system. The goal, as stated by the Tampa Bay Times, was to poison the water supply with sodium hydroxide. Attackers attempted to raise the chemical’s presence in the water by over a factor of 100. While the attack was thwarted by an alert employee who noticed the abnormalities in the treatment plant’s system, the fact remains that this attack came dangerously close to harming swaths of Floridians. In small doses, sodium hydroxide controls the acidity of treated water, but in such a large dosage, effects could range from chemical burns on the skin to total blindness.
Windows 7, no firewall, same passwords: What could go wrong?
The attack quickly made national news and forced water treatment facilities and many other so-called “soft targets” to go on high alert. To this effect, numerous governmental agencies released security alerts about the Oldsmar attack situation. One in particular from the Massachusetts government sheds a light on the core vulnerabilities that allowed for this attack to occur:
The unidentified actors accessed the water treatment plant’s SCADA controls via remote access software, TeamViewer, which was installed on one of several computers the water treatment plant personnel used to conduct system status checks and to respond to alarms or any other issues that arose during the water treatment process. All computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system. Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.
SCADA stands for “supervisory control and data acquisition” and, as one can guess, the lax security on the system allowed for the Oldsmar hack. The highly concerning aspect of this is that this is not uncommon in many core infrastructure plants around the United States. Even more disturbing, government agencies have long known that these facilities are insecure, and instead of hardening protections, they have chosen to put the general public at risk.
A vulnerable U.S. infrastructure
A damning report from Cyber News shows definitively just how vulnerable U.S. infrastructure is. The report was published in 2020 after a lengthy investigation by researchers at the publication, with the findings shown in a blog post. Of particular interest is the following excerpt from the research blog:
By scanning IP blocks for open ports in the US IP address range as part of an internet mapping project, we found a number of unprotected and accessible Industrial Control Systems in the country... Industry, institutions, and cybersecurity experts are all aware of the dangers associated with outdated ICS systems. But as our research shows, many ICS access points in the US, particularly in water and energy sectors, are still vulnerable to attacks:
- By using search engines dedicated to scanning all open ports, or scanning the ports themselves, hackers can remotely take control of critical private and public US infrastructure
- Unprotected ICS access points mostly include the energy and water industries: offshore and onshore oil wells, as well as public and private water distribution and treatment systems
- These systems could be accessed by anyone – with no passwords at all.
Florida water plant cyberattack not an anomaly
Though the report shows some examples that, following reports to CISA and other authorities, had their access hardened, this clearly was not enough. The cyberattack launched against the Florida water facility plant was not an anomaly but rather a glaring example of just how close the United States is to a doomsday scenario that may lead to the deaths of potentially millions of Americans. If anything, the attackers at Oldsmar did the general public a favor as they shined a light on the incompetence of those tasked with protecting civilians from cyberattacks and their subsequent consequences.
A day of cybersecurity reckoning is coming, and the United States is clearly not ready for it. In my opinion, for all the jingoistic posturing that the U.S. government does about national security, passing billion-dollar defense bills to facilitate the invasion of foreign lands in the name of “protecting American interests,” the irony is a bit much. Maybe we should get our own house in order instead? I won’t hold my breath.
Featured image: Shutterstock