Are More Water Treatment Facility Hacks on the Way?

• Dark web access offerings make it clear that the Oldsmar incident was just a drop in the water tank.
• Almost all water facilities in the United States are vulnerable, easily hackable, and potentially dangerous.
• Amending the effects of years of negligence and poor practices won’t be easy, but has to be done quickly.

In the aftermath of the Oldsmar water treatment facility hack that risked the health and safety of at least 15,000 people, hackers appear more than willing to follow the paradigm. According to a report by Intel471, cybercriminals are already selling access to the SCADA systems of numerous units across the United States and also around the globe.

The people who buy access to these systems with malicious intent aren’t financially motivated, but those selling it are. The former are either foreign actors seeking to avenge the U.S. or just psychos who find pleasure in harming innocent people.

Whatever the case, Intel471 claims that there has been a notable rise in these offerings since the Spring of 2020, and it’s possible that the actor who managed to change the chemical levels of the water in Oldsmar bought access through these vendors. In fact, they observed an Iranian actor advertising access to a water treatment plant in Florida via a VNC (virtual network computing) tool. A screenshot used to demonstrate the offering actually depicted the sodium hydroxide pump controls, which the hacker fiddled with.

Even though researchers have been ringing alarms about the dangers of leaving public facilities in such an insecure state, the latest revelations that come from the subsequent investigations on the Florida incident underline how bad the situation is in reality. First, the water treatment plant’s computers were running on Windows 7, for which support ended over a year ago. Thus, the systems were already vulnerable to an entire set of known and well-documented flaws.

Secondly, the employees were using the same passwords on the TeamViewer tool that was the entrance point for the hackers. Thirdly, the last time they used the tool was six months ago, a sign of poor administration and potentially outdated version on it too. And finally, there was no firewall in place to maybe catch the threat and stop it before anything risky happens. So, essentially, the work of the hackers was pretty trivial.

Almost all countries in the world ignored this crucial aspect of their security, not realizing the threat and relying on external factors like obscurity or lack of motivation. Now, they are suddenly pushed into a race with malicious actors who would love to wreak havoc, and unfortunately, dealing with the results of their long-term negligence at such a scale won’t be easy.