Last week the sleepy Florida town of Oldsmar made headlines as its municipal water utility was targeted in a cyberattack. The attack resulted in the unauthorized access of a computer that controlled the chemical treatment of the city’s potable water supply, and the attackers actually managed to adjust a setting that could have poisoned the water for 15k people. Fortunately, the computer was actually being monitored by an employee who was able to safely reverse the settings change and alert authorities. Aside from the ominous implications evoked by cyberattacks on critical infrastructure like water supplies, this specific attack garnered additional attention because of Oldsmar’s proximity to the stadium hosting this year’s Super Bowl and the fact that it happened 2 days before the actual game.
What this means for you
What many of you might not realize, even though we’ve written about it before, is that our nation’s utility infrastructure is protected by technology that is outdated, underpowered and poorly managed. And it has been under constant attack since at least 2013 and most likely even before then. That being said, it appears the Oldsmar attack was not perpetrated through a series of exotic, Hollywood-esque tactics, but rather by exploiting a forgotten install of remote management software TeamViewer that was using a shared password set for the entire company. On top of this, the computer was connected directly to the internet with no firewall in place. While this lack of security isn’t uncommon in small organizations around the world, the fact that this is happening at companies that control vital services like drinking water should be fairly alarming to you. According to utility officials, there are plenty of other safeguards in place that would have prevented the actual poisoning from actually occurring, but one has to wonder whether or not an audit might be in order? If they installed a bit of software in a fashion that allowed it to be exploited with almost no effort and then forgot about it, what else might they have installed poorly and then forgotten?