New particulars have emerged concerning the distant pc intrusion at a Florida water treatment facility final Friday, highlighting an absence of satisfactory safety measures wanted to bulletproof important infrastructure environments.
The breach, which occurred final Friday, concerned an unsuccessful attempt on the a part of an adversary to extend sodium hydroxide dosage within the water provide to harmful ranges by remotely accessing the SCADA system on the water therapy plant. The system’s plant operator, who noticed the intrusion, rapidly took steps to reverse the command, resulting in minimal impression.
Now, in response to an advisory printed on Wednesday by the state of Massachusetts, unidentified cyber actors accessed the supervisory management and knowledge acquisition (SCADA) system through TeamViewer software program put in on one of many plant’s a number of computer systems that have been related to the management system.
Not solely have been these computer systems working 32-bit variations of the Home windows 7 working system, however the machines additionally shared the identical password for distant entry and are mentioned to have been uncovered on to the Web with none firewall safety put in.
It is value noting that Microsoft Home windows 7 reached end-of-life as of final yr, on January 14, 2020.
Including to the woes, as a rule, many small public utilities are saddled with ageing infrastructure, and the IT departments are usually under-resourced, missing in funds and experience to improve their safety posture and handle vulnerabilities in a well timed trend.
“Prohibit all distant connections to SCADA programs, particularly people who enable bodily management and manipulation of units throughout the SCADA community,” Massachusetts state officers mentioned. “One-way unidirectional monitoring units are beneficial to watch SCADA programs remotely.”
“Hold computer systems, units, and functions, together with SCADA/industrial management programs (ICS) software program, patched and up-to-date,” the alert cautioned, including “use two-factor authentication with robust passwords.”