On Friday, February 5, 2021, a remote worker at a Florida water treatment plant noticed his mouse cursor begin to move on its own. At first, he thought it was his supervisor accessing his system to do regular checkups. It soon became apparent that wasn't the case. The operator watched someone clicking through the water treatment plant's controls on his system. Within seconds, the attacker was trying to change the water supply's sodium hydroxide levels, also known as lye or caustic soda, moving the setting from 100 parts per million to 11,100 parts per million. In low volumes, the corrosive chemical regulates the pH level of potable water. At high levels, it will severely damage any human tissue it touches. The remote worker noticed the change and returned levels to their standard rates because of his quick thinking. Had he not seen it, within 24 to 36 hours, thousands of people could have been poisoned.
You may be wondering just how something so dangerous could happen so quickly and easily in a vital infrastructure such as a water system. The reasons why are quite alarming and easily preventable. According to an investigation by the Massachusetts Environmental Protection Agency, the following vulnerabilities appeared:
- The water treatment plant used TeamViewer, remote access software used that allows IT support to log into computers remotely to troubleshoot issues. Placed on remote workers' computers, the software had access to the plant's SCADA (supervisory control and data acquisition) system. Having a remote access system on the same network as the plant's most critical managing tools made access very easy.
- There was no unique password for the TeamViewer system. All employees used the same password to utilize the software.
- The water treatment plant was using Microsoft 7 on all computers. Microsoft issued end-of-life notices for Windows 7 in 2019, and all support for Windows 7 ended January 14, 2020. There have been no security updates or support provided for this operating system for more than a year.
- All computers utilizing TeamViewer did not have unique passwords and were connected directly to the Internet without firewall protection.
- Researchers discovered employee credentials for logging into critical water treatment plant's systems online after a compilation of many breaches was published. Investigators found more than 3.2 billion credentials for various people in an online forum just days before the attack.
With so many vulnerabilities in place, it is no surprise that something of this nature could have occurred. Along with the apparent issues, many small public utilities have limited budgets and expertise in-house to ensure their systems and data safety. Also, there are many purported "Managed IT" companies out in the market. It's often difficult for businesses to know which ones are legit and which may not be.
This type of story is no longer one that is rare. Businesses have to be on top of their cybersecurity plan at all times. Becoming a victim of a cybersecurity event isn't a matter of if, but when. To keep your business safe from an attack, here are some essential tips:
- Make a cybersecurity plan that includes data backup and test it often!
- Restrict outside access to critical infrastructure systems.
- Install a firewall software/hardware device with logging capabilities.
- Keep computers, devices and software patched and updated.
- Implement two-factor authentication with strong passwords.
- Only use secured networks to access business systems and implement a VPN (virtual private network).
Having a reputable Managed IT services provider is vital for small and mid-size businesses to protect themselves from cyberattacks. Ensure you are working with a company with expertise in cybersecurity. A Managed IT services provider will be able to work with you and your budget to find the solutions that will help you have a robust cybersecurity plan.