What’s the biggest lesson to be learned from the recent thwarting of an attempt by cyber criminals to poison the water supply in Oldsmar, Fla.?
According to the Cybersecurity and Infrastructure Security Agency (CISA), the hackers likely took advantage of an outdated operating system to gain access, and the agency said “continuing to use any operating system within an enterprise beyond the end of life status may provide cyber criminals access into computer systems.”
That’s one of the top takeaways from guidance issued Feb. 11 by CISA after examining the attack on the Florida water treatment facility’s supervisory control and data acquisition (SCADA) system, in cooperation with the FBI, Environmental Protection Agency (EPA), and Multi-State Information Sharing and Analysis Center (MS-ISAC).
The cyber actors attempted to poison the facility’s water supply on Feb. 5, by increasing the amount of sodium hydroxide – commonly known as lye – into the water supply. Thankfully, water treatment personnel noticed the change in chemical levels and the water treatment process was able to return to normal. However, the employees noticed the change before the SCADA system was able to detect the change or set off an alarm, according to the CISA guidance.
“The cyber actors likely accessed the system by exploiting cybersecurity weaknesses, including poor password security, and an outdated operating system,” the Feb. 11 guidance states. “Early information indicates it is possible that a desktop sharing software, such as TeamViewer, may have been used to gain unauthorized access to the system, although this cannot be confirmed at present date.”
The agencies recommended several cyber hygiene practices to prevent such an attack from happening again, but their main recommendation was to update to the latest version of the Windows operating system.
“Windows 7 will become more susceptible to exploitation due to lack of security updates and the discovery of new vulnerabilities. Microsoft and other industry professionals strongly recommend upgrading computer systems to an actively supported operating system,” the guidance said.
In addition to updating the Windows operating system, the agencies also recommended using multi-factor authentication; implementing strong passwords; ensuring anti-virus, spam filters, and firewalls are working properly; auditing the network to isolate systems that cannot be updated and log remote connection logins; training users to identify and report malicious actions; and suspending access to users showing unusual activity.
The guidance also offers recommendations specific to water and wastewater systems security, such as installing “independent cyber-physical safety systems,” which would prevent “dangerous conditions” from occurring should the system be tampered with by an adversary.