Florida Water Plant "Hacked" and poisoned the water supply - Password reuse -

[wanderingfool2]

Hackers "breached" a water treatment plant, and momentarily changed the sodium hydroxide (Lye) levels from 100 ppm to 11,100 ppm.  The reason it was caught was the employee sitting at the computer was paying attention, and quickly set it back to appropriate levels (before anything could happen).  The cause of the breach?  A teamviewer password shared amongst employees to be able to remote into the computer to work from it from home.  The other alarming thing though, the use of an unsupported version without a firewall.  There were other safeguards in place down the line that would have potentially prevented the tainted water from reaching the community.

 

Quote

The attacker changed the level of sodium hydroxide in the water treatment plant in the town of Oldsmar from about 100 parts per million to 11,100 parts per million, said Bob Gualtieri, the sheriff of Pinellas County, Florida. Treatment plants use sodium hydroxide to make water drinkable, but it can be unsafe for people in large quantities.

Quote

The unidentified actors accessed the water treatment plant’s SCADA controls via remote access software, TeamViewer, which was installed on one of several computers the water treatment plant personnel used to conduct system status checks and to respond to alarms or any other issues that arose during the water treatment process. All computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system. Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.

 

 

To have an unpatched outdated system, connected to a critical system and then further to have TeamViewer installed sharing the username and password...really hope that someone loses their job and goes to jail for this level of incompetence.  Guessing it was probably an irate employee, but if they really left it this insecure it wouldn't surprise me that someone left it on a post-it note and left it in plain site of the public.  This really could have turned out much worse though, given that if they had done it at a better time it could have gone unnoticed and caused deaths.

 

 

https://www.cyberscoop.com/florida-hacker-water-plant-sodium-hydroxide/

https://arstechnica.com/information-technology/2021/02/breached-water-plant-employees-used-the-same-teamviewer-password-and-no-firewall/

[Velcade]

1 minute ago, wanderingfool2 said:

momentarily changed the sodium hydroxide (Lye) levels from 100 ppm to 11,100 ppm. 

Unacceptable really.  There should be safe guards in place to not allow such a drastic change. 

[Lurick]

6 minutes ago, wanderingfool2 said:

To have an unpatched outdated system, connected to a critical system and then further to have TeamViewer installed sharing the username and password...really hope that someone loses their job and goes to jail for this level of incompetence.  Guessing it was probably an irate employee, but if they really left it this insecure it wouldn't surprise me that someone left it on a post-it note and left it in plain site of the public.  This really could have turned out much worse though, given that if they had done it at a better time it could have gone unnoticed and caused deaths.

So you have a critical and unpatched system that someone decided to connect to another system to put it on the internet? Brilliant! I definitely hope someone's head rolls for this so to speak.

[BuckGup]

5 minutes ago, Lurick said:

So you have a critical and unpatched system that someone decided to connect to another system to put it on the internet? Brilliant! I definitely hope someone's head rolls for this so to speak.

SCADA systems being connected to the internet has been a thing since around 2009. You can go on Shodan, Censys, or use IVRE and connect to thousands of industrial control systems in the world. Ranging from power plants, wind mills, traffic lights, and in this case water treatment plant. All it takes is a simple google search of the manufacturer and you can find the default username and password and try it. Sometimes it works. To me it sounds like a teenager screwing around on Shodan, found this treatment plant, logged on and found out he could actually sign in with the default settings, changed some random setting, then flipped out because it actually worked and made the news

[StDragon]

Running Teamviewer on Windows 7 with no firewall = FAIL!

[StDragon]

20 minutes ago, Velcade said:

Unacceptable really.  There should be safe guards in place to not allow such a drastic change. 

It takes two people to turn two separated keys to launch an ICBM. You would think making such changes that effect people's wellbeing would also require two people's approval to commit a change.

[poochyena]

30 minutes ago, Velcade said:

Unacceptable really.  There should be safe guards in place to not allow such a drastic change. 

 

33 minutes ago, wanderingfool2 said:

There were other safeguards in place down the line that would have potentially prevented the tainted water from reaching the community.

directly from the article

Quote

Even if the change hadn’t been reversed, the officials said, treatment plant personnel have redundancies in place to catch dangerous conditions before water is delivered to homes and businesses.

seriously, please read more than just the headline before getting outraged.

[Velcade]

1 hour ago, poochyena said:

 

directly from the article

seriously, please read more than just the headline before getting outraged.

Outraged is a strong word...

 

What I said was there should have been controls in place to not even allow the change to happen.  I saw they had safe guards down stream but that's after the water is quite alkaline.   

[Salv8 (sam)]

but in all seriousness, change your passwords regally and use F2A for fucks sake.

[Lurick]

43 minutes ago, BuckGup said:

SCADA systems being connected to the internet has been a thing since around 2009. You can go on Shodan, Censys, or use IVRE and connect to thousands of industrial control systems in the world. Ranging from power plants, wind mills, traffic lights, and in this case water treatment plant. All it takes is a simple google search of the manufacturer and you can find the default username and password and try it. Sometimes it works. To me it sounds like a teenager screwing around on Shodan, found this treatment plant, logged on and found out he could actually sign in with the default settings, changed some random setting, then flipped out because it actually worked and made the news

Yah, definitely know it's a thing. It shouldn't be a thing but sadly it is.

[Vishera]

49 minutes ago, wanderingfool2 said:

A teamviewer password shared amongst employees to be able to remote into the computer to work from it from home.

So the employees installed a backdoor in the system and the hackers used it - Don't they have an IT team?.

51 minutes ago, wanderingfool2 said:

The other alarming thing though, the use of an unsupported version without a firewall.

Windows 7 has known,unpatched and serious vulnerabilities,

I get that a lot of specialized software have compatibility issues with Windows 10,but at least do something to mitigate the risks.

Now that i think about it,Why didn't they buy the ESU updates from Microsoft?,especially when it comes to a system that is crucial to human life.

[akio123008]

55 minutes ago, wanderingfool2 said:

momentarily changed the sodium hydroxide (Lye) levels from 100 ppm to 11,100 ppm.

I don't know much about the facility in question, but I do know that where I live, NaOH is used to remove calcium from the water, which is pretty much the first stage of the plant. It's not added into the water on the export side. I guess this could be one of the reasons why no one was at risk here.

[Sauron]

Obviously the plant should have better security but... I'm flabbergasted someone would go and intentionally poison water people drink. Like, why? Who hurt you?

[Vishera]

1 minute ago, Sauron said:

Obviously the plant should have better security but... I'm flabbergasted someone would go and intentionally poison water people drink. Like, why? Who hurt you?

Some people think it's a game,some think it's funny,either way - they are mental.

[Orangeator]

This is an absolute failure. If this was a poor engineer who was socially engineered into giving details on how to get into something that is properly secured, the story wouldn't sting as much. Unfortunately, this is hackers getting into something that essentially had no security at all... Water supply should not be that susceptible to an attack. 

[Arika]

You would be surprised (but you really shouldn't be) at how much infrastructure is run on old, outdated and unsecure hardware. 

 

Whenever updating systems is bought up, i guarantee the response was "eh, it still works and we've not been hacked yet". They don't update pre-emptively, it's almost always as a response 

[Brooksie359]

2 hours ago, Velcade said:

Unacceptable really.  There should be safe guards in place to not allow such a drastic change. 

Yeah why would they ever need the option to increase the amount to that level. You would think that control would be put in place to ensure that unsafe levels is not an option in the first place. Why would they ever need to increase the chemicals to a poisonous level is beyond me. 

[wanderingfool2]

3 hours ago, poochyena said:

seriously, please read more than just the headline before getting outraged.

Yes, there were safeguards in place, which does mitigate a bit of the frustration...with that said, safeguards can fail (Chernobyl had safeguards)... and given the total lack of security they had, it wouldn't surprise me that some of the other safeguard systems could be manipulated as well.  In another case if the safeguard did catch it, one would question whether that would mean the town would have to go without water for a while (just a hypothetical).

 

Ultimately, any system that deals with something such as water supplies, electric, etc...they should have more security than an unpatched Windows 7 system, with no firewall controls, and TeamViewer where the password and username is handed out like candy.  Any remote controlling of a system should at minimum have to log into a VPN with a 2FA and the users are domain users

[Kisai]

3 hours ago, StDragon said:

It takes two people to turn two separated keys to launch an ICBM. You would think making such changes that effect people's wellbeing would also require two people's approval to commit a change.

It would also then take two people to do a SCRAM at a Nuclear plant. Not the right approach.

 

When it involves peoples safety, you want to be able to shut stuff down immediately. Now aside from the obvious security gaff here of having nothing between the computer and the internet, the "second person" here is who caught it.

 

What you'd probably want are safety valves that are not computer operated that open if certain settings are too far out of normal. Like I'm sure if the sodium hydroxide were set to that level, it would have drained whatever tank it comes out of at a rate that would be noticed since it would require a massive pressure change to go from 100, to 11100, which is 111x the original setting, and likely extremely far outside the normal setting.

[wanderingfool2]

11 minutes ago, Kisai said:

When it involves peoples safety, you want to be able to shut stuff down immediately. Now aside from the obvious security gaff here of having nothing between the computer and the internet, the "second person" here is who caught it.

Actually, in this case it was caught because the person who was sitting at the computer was watching the computer.  There isn't actually mention on what exactly the safeguards would be in this case.  Given the practice that they were showing here as well, one would also question whether safeguards (if it's procedures) is being done properly.  An unprotected system that has controls like that should never be allowed easy access like that

[Kisai]

1 hour ago, wanderingfool2 said:

Actually, in this case it was caught because the person who was sitting at the computer was watching the computer.  There isn't actually mention on what exactly the safeguards would be in this case.  Given the practice that they were showing here as well, one would also question whether safeguards (if it's procedures) is being done properly.  An unprotected system that has controls like that should never be allowed easy access like that

Consider two separate situations:

a) There was nobody watching it

- surely someone would be alarmed when the water smell changed

- surely someone would have noticed the Sodium Hydroxide being drained rapidly

- I'm also pretty sure it would have been limited by the pipe size.

b) The setting was not valid/underlying hardware doesn't allow that setting

- nobody would have noticed unless someone was actively using the computer

- someone could have made incremental changes that went unnoticed during times nobody was expected to be in the building.

 

Like with water treatment, we saw with Flint how quickly the wrong chemical mixture will wreck havoc on the plumbing, let alone if anyone is poisoned from it.

 

[leadeater]

5 hours ago, Vishera said:

Windows 7 has known,unpatched and serious vulnerabilities,

Windows 7 is still getting patches if you are paying for ESU, there's this current year and next year still left for that. Seems people are making a leap that since they are running Windows 7 then they are not supported and not patched, that's quite the assumption to make that they are not paying for ESU and are in fact patched and supported.

[lostcattears]

So it was just plain luck that florida got saved. The guy that caught it should get a bonus

[wanderingfool2]

4 hours ago, leadeater said:

Windows 7 is still getting patches if you are paying for ESU, there's this current year and next year still left for that. Seems people are making a leap that since they are running Windows 7 then they are not supported and not patched, that's quite the assumption to make that they are not paying for ESU and are in fact patched and supported.

While Windows 7 is still being patched, at least by the quote from the FBI in the article it appears that they were hinting the system was in an unpatched state ("outdated", so in theory it could mean patched)...with that said as well, one can make an assumption that they perhaps were not diligent with security and would operate without the ESU (given they stopped using TeamViewer 6 months ago and left it installed, plus used the same username and password which was given to employees, and appeared to have run it without any firewall restrictions...as per the Massachusetts officials).

 

Think we could both agree though that there was a major lapse in security, and using TeamViewer in the way they were is just asking for trouble.

 

5 hours ago, Kisai said:

Consider two separate situations:

a) There was nobody watching it

- surely someone would be alarmed when the water smell changed

- surely someone would have noticed the Sodium Hydroxide being drained rapidly

- I'm also pretty sure it would have been limited by the pipe size.

b) The setting was not valid/underlying hardware doesn't allow that setting

- nobody would have noticed unless someone was actively using the computer

- someone could have made incremental changes that went unnoticed during times nobody was expected to be in the building.

 

Like with water treatment, we saw with Flint how quickly the wrong chemical mixture will wreck havoc on the plumbing, let alone if anyone is poisoned from it.

 

I think it would really depend...but based on the articles I read, it seems as though things wouldn't be an issue until multiple hours of it at that setting, so perhaps the addition would be more drawn out (ie the system working to get the water to that target).  My assumption is that the safeguards are likely water sample testing...but if that's the case, it could still cause disruptions in the system.

[leadeater]

5 hours ago, wanderingfool2 said:

While Windows 7 is still being patched, at least by the quote from the FBI in the article it appears that they were hinting the system was in an unpatched state ("outdated", so in theory it could mean patched)...with that said as well, one can make an assumption that they perhaps were not diligent with security and would operate without the ESU (given they stopped using TeamViewer 6 months ago and left it installed, plus used the same username and password which was given to employees, and appeared to have run it without any firewall restrictions...as per the Massachusetts officials).

 

Think we could both agree though that there was a major lapse in security, and using TeamViewer in the way they were is just asking for trouble.

The wording is a little fuzzy, seems both cases are equally as likely. However based on point of entry Windows 7, patched or unpatched, has very little to do with it. It would have happened on a fully patched Windows 10 system too as the patch status of Windows will do nothing to Teamviewer in this situation. Seems to be more an adjacent criticism to me, although contextual in the sense that it goes towards the general operating practices i.e. bad.

 

Teamveiwer itself is just a really poor method of remote access anyway, securing it through a firewall while doable is a little pointless. Teamviewer itself is designed in a way to make it through firewalls and is purposed designed to do so without rules to allow it, as best as they can achieve of course. You either outright block Teamviewer or you allow it and risk that you do not actually have full control of allowed remote hosts/networks.

 

Quote

When establishing a session, TeamViewer determines the optimal type of connection. After the handshake through our master servers, a direct connection via UDP or TCP is established in 70% of all cases (even behind standard gateways, NATs and firewalls). The rest of the connections are routed through our highly redundant router network via TCP or https tunneling.

 

You do not have to open any ports in order to work with TeamViewer

https://www.teamviewer.com/en/trust-center/security/

 

Because Teamviewer is actively designed and built around bypassing firewalls it makes it a very high security risk, it should never be used for remote access in to a corporate network, regardless of how sensitive that network or business is or isn't. It gets used because "it just works" but that's also exactly what makes it so dangerous.