Tag Archive for: Water

DNR warns Wisconsin water works to update security after Florida system hacked | State & Regional

/in




Water treatment hack

In this screen shot from a YouTube video posted by the Pinellas County Sheriff’s Office in Florida, Pinellas County Sheriff Bob Gualtieri addresses reporters during a news conference Monday. At left is Eric Seidel, the mayor of  Oldsmar, Fla.



ASSOCIATED PRESS


State and federal officials are warning all water utilities to upgrade their cybersecurity after hackers attempted to poison the water supply of a small Florida city, raising alarms about the vulnerability of the nation’s water systems.

The Wisconsin Department of Natural Resources cautioned Wisconsin’s 611 municipal water systems Wednesday to take steps to secure their computerized control systems, including installing firewalls and using strong passwords.

According to the DNR, on Feb. 5, unidentified hackers gained access to the control system at a water treatment plant in Oldsmar, Florida, and altered the supply of sodium hydroxide, or lye, a caustic chemical used in the water treatment process.

The hackers broke in twice on the same day, but in both cases workers at the treatment plant noticed the change and corrected the problem before the water was affected.

The DNR did not respond to questions about whether it is tracking utility responses to the recommended measures, which were outlined by the Environmental Protection Agency. Officials from the Madison and Sun Prairie water utilities, the largest in Dane County, could not be reached late Wednesday afternoon.

Suspicious incidents are rarely reported and usually are chalked up to mechanical or procedural errors, experts say. No federal reporting requirement exists, and state and local rules vary widely.

Source…

Poor Password Security Led to Recent Water Treatment Facility Hack

/in


New details have emerged about the remote computer intrusion at a Florida water treatment facility last Friday, highlighting a lack of adequate security measures needed to bulletproof critical infrastructure environments.

The breach involved an unsuccessful attempt on the part of an adversary to increase sodium hydroxide dosage in the water supply to dangerous levels by remotely accessing the SCADA system at the water treatment plant. The system’s plant operator, who spotted the intrusion, quickly took steps to reverse the command, leading to minimal impact.

password auditor

Now, according to an advisory published on Wednesday by the state of Massachusetts, unidentified cyber actors accessed the supervisory control and data acquisition (SCADA) system via TeamViewer software installed on one of the plant’s several computers that were connected to the control system.

Not only were these computers running 32-bit versions of the Windows 7 operating system, but the machines also shared the same password for remote access and are said to have been exposed directly to the Internet without any firewall protection installed.

It’s worth noting that Microsoft Windows 7 reached end-of-life as of last year, on January 14, 2020.

Adding to the woes, more often than not, many small public utilities are saddled with aging infrastructure, and the IT departments tend to be under-resourced, lacking in budget and expertise to upgrade their security posture and address vulnerabilities in a timely fashion.

“Restrict all remote connections to SCADA systems, specifically those that allow physical control and manipulation of devices within the SCADA network,” Massachusetts state officials said. “One-way unidirectional monitoring devices are recommended to monitor SCADA systems remotely.”

“Keep computers, devices, and applications, including SCADA/industrial control systems (ICS) software, patched and up-to-date,” the alert cautioned, adding “use two-factor authentication with strong passwords.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in a separate alert published today, warned of “cybercriminals targeting and exploiting desktop sharing software and computer networks running operating systems…

Source…

Outdated computer system exploited in Florida water treatment plant hack

/in


Investigators are still trying to determine who’s behind the hack.

February 10, 2021, 11:20 PM

4 min read

An outdated version of Windows and a weak cybersecurity network allowed hackers to access a Florida wastewater treatment plant’s computer system and momentarily tamper with the water supply, federal investigators revealed in a memo obtained by ABC News.

The FBI’s Cyber Division on Tuesday notified law enforcement agencies and businesses to warn them about the computer vulnerabilities, which led to the Bruce T. Haddock Water Treatment Plant in Oldsmar being hacked on Feb. 5.

The plant’s computer systems were using Windows 7, which hasn’t received support or updates from Microsoft in over a year, according to the FBI.

“The cyber actors likely accessed the system by exploiting cybersecurity weaknesses, including poor password security and an outdated Windows 7 operating system to compromise software used to remotely manage water treatment,” investigators wrote in the report. “The actor also likely used the desktop sharing software TeamViewer to gain unauthorized access to the system.”

The hacker was able to use remote access software to raise the levels of sodium hydroxide in the water from about 100 parts per million to 11,100 parts per million for a few minutes, according to investigators. Sodium hydroxide is used in liquid drain cleaners and used, in small doses, to remove metals from water.

A plant manager who noticed the hack as it unfolded was able to return the system to normal before there any major damage occurred, investigators said. The public was never in danger because it would have taken 24 to 36 hours for tainted water to hit the system if no one intervened.

The FBI and other law enforcement agencies are still trying to determine who was behind the…

Source…

Hack exposes vulnerability of cash-strapped U.S. water plants

/in


ST. PETERSBURG, Fla. >> A hacker’s botched attempt to poison the water supply of a small Florida city is raising alarms about just how vulnerable the nation’s water systems may be to attacks by more sophisticated intruders. Treatment plants are typically cash-strapped and lack the cybersecurity depth of the power grid and nuclear plants.

A local sheriff’s startling announcement Monday that the water supply of Oldsmar, population 15,000, was briefly in jeopardy last week exhibited uncharacteristic transparency. Suspicious incidents are rarely reported and usually are chalked up to mechanical or procedural errors, experts say. No federal reporting requirement exists, and state and local rules vary widely.

“In the industry, we were all expecting this to happen. We have known for a long time that municipal water utilities are extremely underfunded and under-resourced, and that makes them a soft target for cyberattacks,” said Lesley Carhart, principal incident responder at Dragos Security, which specializes in industrial control systems.

“I deal with a lot of municipal water utilities for small, medium and large-sized cities. And in a lot of cases, all of them have a very small IT staff. Some of them have no dedicated security staff at all,” she said.

The nation’s 151,000 public water systems lack the financial fortification of the corporate owners of nuclear power plants and electrical utilities. They are a heterogenous patchwork, less uniform in technology and security measures than in other rich countries.

As the computer networks of vital infrastructure become easier to reach via the internet — and with remote access multiplying dizzily during the COVID-19 pandemic — security measures often get sacrificed. That appeared to be the case at Oldsmar.

Cybersecurity experts said the attack at the plant 15 miles northwest of Tampa seemed ham-handed, it was so blatant. Whoever breached Oldsmar’s plant on Friday using a remote access program shared by plant workers briefly increased the amount of lye — sodium hydroxide — by a factor of 100, according to Pinellas County Sheriff Bob Gualtieri. Lye is used to lower acidity, but in high concentrations it is highly…

Source…