Florida Water Plant "Hacked" and poisoned the water supply - Password reuse -

[HerrKaLeu]

I'm surprised the chemical injector is even sized to add such a huge amount. Was that actually added, or was it just the set value that high? I mean, I can set my thermostat in winter to 100F, that doesn't mean the system can actually achieve it. So there may not have been any actual danger to get 110 times the amount.

And the control should have had a fixed range. Like if 100ppm is a normal amount, the maximum possible set-value should have been 300 ppm or something.

 

I'm not surprised they use old hard and software. W7 actually still is modern compared to other systems still in use. I'm also not surprised they don't have an actually good IT department. Lack of funding, and staff that doesn't necessarily gets chased by Google headhunters. 

 

As for someone seeing the tank being empty etc. A city has multiple well and pump houses and they are not manned. Someone goes there on some frequency for maintenance and if it isn't remotely monitored how much is left in a tank, they wouldn't know till the next person stops by. So it all depends on how good the system is, and we can assume that City didn't have the best...

[wamred]

Oof. TeamViewer 

[CarlBar]

1 hour ago, HerrKaLeu said:

I'm surprised the chemical injector is even sized to add such a huge amount. Was that actually added, or was it just the set value that high? I mean, I can set my thermostat in winter to 100F, that doesn't mean the system can actually achieve it. So there may not have been any actual danger to get 110 times the amount.

And the control should have had a fixed range. Like if 100ppm is a normal amount, the maximum possible set-value should have been 300 ppm or something.

 

I'm not surprised they use old hard and software. W7 actually still is modern compared to other systems still in use. I'm also not surprised they don't have an actually good IT department. Lack of funding, and staff that doesn't necessarily gets chased by Google headhunters. 

 

As for someone seeing the tank being empty etc. A city has multiple well and pump houses and they are not manned. Someone goes there on some frequency for maintenance and if it isn't remotely monitored how much is left in a tank, they wouldn't know till the next person stops by. So it all depends on how good the system is, and we can assume that City didn't have the best...

 

Without knowing exactly how the place works, hard to say for sure. If it's done in batches though then it doesn't have to, all such a change would do would change for how long it added and mixes in the Sodium Hydroxide before it declares that part of the process done according to it's sensors that measure the ppm.

 

For me the biggest security question is why this plant was even hooked up to the internet. Unless Florida's industrial regulations are terrible i can't imagine it's legal to run the entire thing from off site, so why bother having the capability, and thus the security risk.

[Dedayog]

Nm, hope they catch the guy.

 

[wanderingfool2]

3 hours ago, leadeater said:

Seems to be more an adjacent criticism to me, although contextual in the sense that it goes towards the general operating practices i.e. bad.

Yea, I agree....actually that is why I initially wrote that it was TeamViewer that was the cause, but added that it was also alarming having an unpatched system like that without a firewall...since it could make the situation a whole lot worse (if there's one system, there would likely be more...add in a few exploits and keyloggers and you could potentially shutdown the plant)

 

Agree with your TeamViewer comment as well...I've usually reserve it's use for when a remote user breaks their VPN.  It's a temporary tool that gets removed after it's use (because honestly, I don't trust that there won't one day be a major exploit found that causes a massive attack on TeamViewer users)

 

[SpikeSpiegel]

Don't use TeamViewer and don't use the same passwords.  

[sub68]

On 2/11/2021 at 2:14 PM, Velcade said:

Unacceptable really.  There should be safe guards in place to not allow such a drastic change. 

like a nuke launch key?

 

[leadeater]

3 hours ago, huilun02 said:

Is there no hardcoded automatic detector in the system to stop the supply if the produced water is not fit for human consumption?

 

So likely yes, or one of many other testing steps in the process that check water quality and safety through the process would have picked it up.

[BlueChinchillaEatingDorito]

Any sort of remote work without requiring the use of a VPN these days is just a recipe for disaster. 

[leadeater]

28 minutes ago, gabrielcarvfer said:

Don't know how about you but after Flint, and other similar events, I don't really trust anything these utilities companies say. 

That really does depend on each local utility, some aren't so crap, others are and it also very much depends on where issues actually are in the process chain.

 

You should give the Jim Jefferies podcast a watch, the one on water. It covers this topic of water treatment very well. Water safety and quality is a lot more complex than the water that leaves the treatment facilities, it can be tested as safe (very safe even) but it may not stay that way due to the choices they made to treat the water or rather the changes to the way they treat it or even a change in water source.

 

Quote

In April 2014, Flint changed its water source from treated Detroit Water and Sewerage Department water (sourced from Lake Huron and the Detroit River) to the Flint River. Officials failed to apply corrosion inhibitors to the water. As a result, lead from aging pipes leached into the water supply, leading to extremely elevated levels of the heavy metal neurotoxin and exposing over 100,000 residents to elevated lead levels.[11] A pair of scientific studies proved that lead contamination was present in the water supply.[12][13] The city switched back to the Detroit water system on October 16, 2015.[14] It later signed a 30-year contract with the new Great Lakes Water Authority (GLWA) on November 22, 2017.[15]

 

Quote

A study by Virginia Tech researchers (see section below) determined that the river water, which, due to higher chloride concentration, is more corrosive than the lake water, was leaching lead from aging pipes.[146]

 

Flint's issues were caused by a change in water supply and the water was safe to drink at the point of leaving treatment facilities, it was contaminated in the city pipe systems from that point after.

[leadeater]

43 minutes ago, gabrielcarvfer said:

Problem is you never know which ones can be trusted, unless there is some independent testing happening regularly. 

That sort of testing usually is, independent as it can get when it's the local officials responsibility to have it done anyway. You have testing done at facilities and that is generally done by the company contracted to do it, if it done via contracts like that, but testing done out on the wider network at test points is done by a different company and the samples are gathered by city employees or another contracted company.

 

The problem with test points is they are done at larger points in the network and would rarely have any older pipes leading in to them, so unless you are testing actual water coming from residential properties you may well never detect that sort of thing. The failing point here is not having the proper expertise and understanding of the whole system, had a properly experienced and educated water quality expert been consulted and supplied with the correct information their recommendation likely would have been to not change water supply or the corrective corrosion measures put in place. However simply not changing supply is far safer.

[HerrKaLeu]

On 2/12/2021 at 7:49 AM, CarlBar said:

 

Without knowing exactly how the place works, hard to say for sure. If it's done in batches though then it doesn't have to, all such a change would do would change for how long it added and mixes in the Sodium Hydroxide before it declares that part of the process done according to it's sensors that measure the ppm.

 

For me the biggest security question is why this plant was even hooked up to the internet. Unless Florida's industrial regulations are terrible i can't imagine it's legal to run the entire thing from off site, so why bother having the capability, and thus the security risk.

Connection to internet allows remote monitoring, or a vendor helping to trouble-shoot. the controls guy also may not be an employee, but a company. And you need to communicate between all the wells and pump houses that are scattered all over a city. 

 

Here they also use radio SCADA. But I wouldn't necessarily bet my life on that not being vulnerable....  

 

You think preppers that build bunkers are crazy? If you knew how  government emergency systems " work",  you would be a prepper too and get your own compound.

[Sir Asvald]

Lol. The company deserves it. If you can't be bothered to teach your staff or even upgrade your systems you will get hacked... Remember kids, the real threat of getting hacked is from inside the company, not outside. Users do dumb shit...  

[Kisai]

6 hours ago, Sir Asvald said:

Lol. The company deserves it. If you can't be bothered to teach your staff or even upgrade your systems you will get hacked... Remember kids, the real threat of getting hacked is from inside the company, not outside. Users do dumb shit...  

No. No company or individual "deserves" to get hacked. That line of thinking is what gets us into revenge fantasies based on lies. Some places have been at war with each over for centuries for that kind of wishful thinking. Or do patients on ventilators deserve to die when hackers unleash malware on hospitals that shut down devices being monitored by wifi?

 

Rather, companies or individuals that believe they are in the right to hack into companies and pilfer or tamper with things, should have the book thrown at them when caught for being stupid enough to commit the crime in the first place. If anyone is harmed or dies, they should be treated as though they have the smoking gun that harmed or killed the individual. That's not curiosity driving the hacking, that's malice. Your responsibility if you find a security oversight is to either:

 

1) Notify the party that they have a security oversight

and

2) If they fail to act, embarrass them with the media, government, or law enforcement entities so they may act.

 

As we've seen with exploits for Microsoft, Google and Apple, it often takes the potential disclosure of the exploit before the exploit gets patched. 

 

[Sir Asvald]

 

19 minutes ago, Kisai said:

No. No company or individual "deserves" to get hacked.

 

Notify the party that they have a security oversight

 It also depends on who is hacking and who has the malicious intent. 

 

So if you're telling me that if a company that ignores multiple warnings from members of the IT staff including an independent security consultant that the hardware is outdated and is need of a major upgrade they are getting it. That is the reality and I can tell you from experience that a place I worked had incompetent staff.

 

22 minutes ago, Kisai said:

That line of thinking is what gets us into revenge fantasies based on lies. Some places have been at war with each over for centuries for that kind of wishful thinking.

That is what happens in war. War is not sunshine and roses, if you're going to go to war with a country what are you going to do first? take out the infrastructure, cripple them where they cannot do anything. 

 

26 minutes ago, Kisai said:

Or do patients on ventilators deserve to die when hackers unleash malware on hospitals that shut down devices being monitored by wifi?

 Again, it also depends on who is hacking and who has the malicious intent. I said that if a business ignores anything related to their security measures and keep their network secure they are getting hacked. Hackers don't care if this is right or wrong, they will cause damage.

 

Here is an example of a Public Certificate Authority who got hacked yet they did no notify anyone about the attack to the public and they also refused publish their report because they know what was wrong but it was later ordered to be released. Turned out their systems was all full on vulnerabitlies.

https://en.wikipedia.org/wiki/DigiNotar

 

 

[Kisai]

12 minutes ago, Sir Asvald said:

 

 It also depends on who is hacking and who has the malicious intent. 

 

So if you're telling me that if a company that ignores multiple warnings from members of the IT staff including an independent security consultant that the hardware is outdated and is need of a major upgrade they are getting it. That is the reality and I can tell you from experience that a place I worked had incompetent staff.

 

No it doesn't. If a company ignores warnings, it does so at it's own peril. A Government run and operated business (Eg water, gas, electricity, medical care, fire, police, schools, waste management, city planning) should not ignore it's IT infrastructure, and should be hiring people that are competent in the first place. These places are in direct competition with neighboring municipalities and cities. A hacker getting into city hall, pilfering building plans to yet-to-be-built mega-projects that are under bid? That can result in bidders withdrawing and holding the city liable for losing the bid. A hacker getting in and locking up everything with malware? Probably recoverable if they have been backing up things for years.

 

Yet, many businesses, like billion dollar businesses have IT that move so slowly, operate hardware that is over a decade old, not because they can't afford it, but because gatekeeping happens. If that gatekeeping is a bookkeeper, then you're going to have to embarrass the company to get around the gatekeeping. If that gatekeeper is an actual IT person, they are going to go "it's fine, it's reliable"

 

[Sir Asvald]

1 hour ago, Kisai said:

No it doesn't. If a company ignores warnings, it does so at it's own peril. A Government run and operated business (Eg water, gas, electricity, medical care, fire, police, schools, waste management, city planning) should not ignore it's IT infrastructure, and should be hiring people that are competent in the first place. These places are in direct competition with neighboring municipalities and cities

Yet there is so much of this going on here in the UK and it is not just the staff, the government is constantly cutting budgets from these services. 

 

1 hour ago, Kisai said:

A hacker getting into city hall, pilfering building plans to yet-to-be-built mega-projects that are under bid? That can result in bidders withdrawing and holding the city liable for losing the bid. A hacker getting in and locking up everything with malware? Probably recoverable if they have been backing up things for years.

If you left your car running unattended and you left a few seconds and someone takes it what then? The same thing with leaving a network wide open to be attacked.

 

1 hour ago, Kisai said:

Yet, many businesses, like billion dollar businesses have IT that move so slowly, operate hardware that is over a decade old, not because they can't afford it, but because gatekeeping happens. If that gatekeeping is a bookkeeper, then you're going to have to embarrass the company to get around the -. If that gatekeeper is an actual IT person, they are going to go "it's fine, it's reliable"

Then they're incompetent. They do not understand the meaning of what is going on.