The Florida water treatment plant unsuccessfully targeted by hackers last week had used multiple computers running an aging version of Microsoft Windows to monitor the facility remotely, and all of the computers shared a single password to access an apparently disused version of the plant’s remote management software.
The revelations highlight evidence of poor cybersecurity hygiene at the plant, whose unexpected compromise has raised awareness of the nation’s vulnerability to industrial cyberattacks.
But whether those factors may have helped the hackers compromise the facility is still unclear as the investigation continues.
According to Pinellas County Sheriff Bob Gualtieri and a Massachusetts government advisory, the hackers gained access to the water facility’s control systems through remote access software known as TeamViewer.
The software had been “installed on one of several computers the water treatment plant personnel used to conduct system status checks and to respond to alarms or any other issues that arose during the water treatment process,” the Massachusetts advisory to other utility operators said.
Gualtieri told CNN Tuesday that TeamViewer had not been actively used by the facility in about six months, as the plant currently uses a Google Chrome product for remote access. The statement could raise further questions about why the outdated software had not been removed.
Martina Dier, a spokesperson for TeamViewer, said an investigation found no evidence of suspicious activity on its platform. Germany-based TeamViewer is used globally by more than 580,000 paid subscribers, Dier said.
“TeamViewer is in close alignment with the relevant law enforcement authorities regarding the Oldsmar water treatment facility,” Dier told CNN in a statement. “Based on cooperative information sharing, a diligent technical investigation did not find any indication for suspicious connection activity via our platform. We continue to monitor the situation very closely and do our utmost to support the investigators in resolving the case.”
The attempted attack saw malicious actors seeking to raise the sodium hydroxide content in the water supply, which experts said could be deadly in high enough concentrations, but early detection stopped the incident from becoming more serious.
Investigators have also focused on the computer operating system used by plant managers. The Massachusetts advisory said that computers with access to the plant’s control system ran the 32-bit version of Windows 7, an operating system first released in 2009, and that Microsoft ended support for last January. A person familiar with the matter confirmed to CNN that the plant had used Windows 7 on its computers.
The outdated operating system, however, was not the weakness, according to Rob Lee, the CEO of cybersecurity firm Dragos, since the hacker – or team of hackers – did not exploit a vulnerability.
“There was software that allows remote access, that was internet-exposed,” Lee told CNN.
“Which means anyone could log in, and to impact industrial systems you don’t need exploits – you just need to know how to use the system, in this case, a human-machine interface that operated the plant.”
The state advisory appeared to underscore that point.
“All computers shared the same password for remote access,” it said, “and appeared to be connected directly to the internet without any type of firewall protection installed.”
Remote access software, like TeamViewer and Chrome in Oldsmar’s case, are extremely common on infrastructure sites, Lee said. That makes them targets.
The former director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, Chris Krebs, wrote on Wednesday that the Oldsmar hack highlights how dire the challenge is.
“Unfortunately, that water treatment facility is the rule rather than the exception,” Krebs wrote in a column for The Hill. “When an organization is struggling to make payroll and to keep systems on a generation of technology created in the last decade, even the basics in cybersecurity often are out of reach.”
Cybersecurity experts have described the incident affecting Oldsmar, Florida, as a wake-up call.
“You should minimize the number of systems that are connected to the internet,” said Michael Daniel, a former top cybersecurity official in the Obama administration, in a congressional hearing on Wednesday, addressing a question about industrial cybersecurity. “You want multiple layers of defense.”
The Massachusetts advisory recommended that utility operators limit remote connections to infrastructure controls, and allow remote access only when it is used to passively monitor systems.