The world took notice when a cyber attacker breached a Florida city’s water treatment plant and tried to poison the water supply. New details about the incident reveal serious cyber security shortcomings at the plant.
As reported by Ars Technica, a Private Industry Notification (PIN) from the FBI noted two major issues. One was that the compromised computer at the Oldsmar water treatment facility was running an “outdated Windows 7 operating system.”
That statement applies to pretty much any computer running Windows 7 at this point. As of January 14 last year Microsoft had stopped offering software updates, security updates or fixes and technical support for Windows 7. Ahead of that date Microsoft had warned that “While you could continue to use your PC running Windows 7, without continued software and security updates, it will be at greater risk for viruses and malware.”
Microsoft had already extended support for Windows 7 on a couple of occasions and the company provides plenty of notice when it’s ending support. Nevertheless it’s not uncommon for organizations to continue using an operating system beyond its end-of-support date.
Specialized applications — like those that control the water treatment system at the Florida plant — may not be compatible with a newer OS. Faced with the possibility of a broken piece of critical software, many organizations choose to continue running the outdated OS. This incident once again underscored just how risky that practice can be.
Another failing revealed in the Bureau’s notification is that staff all utilized the same password for remote access via the Teamviewer application. That same password was used on all of the plant’s computers and it’s believed that the attacker(s) used that password to break in.
That’s two very big cyber security strikes already. The third? The plant’s computers “appeared to be connected directly to the Internet without any type of firewall protection installed.”
Firewalls provide a first line of defense against unauthorized access. They’re an important part network security in any situation. In a case where the…