Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
United States Government Security

Report: Hackers Breached More US Water Treatment Plants (nbcnews.com) 66

"On January 15, a hacker tried to poison a water treatment plant that served parts of the San Francisco Bay Area," reports NBC News: It didn't seem hard. The hacker had the username and password for a former employee's TeamViewer account, a popular program that lets users remotely control their computers, according to a private report compiled by the Northern California Regional Intelligence Center in February and seen by NBC News. After logging in, the hacker, whose name and motive are unknown and who hasn't been identified by law enforcement, deleted programs that the water plant used to treat drinking water.

The hack wasn't discovered until the following day, and the facility changed its passwords and reinstalled the programs. "No failures were reported as a result of this incident, and no individuals in the city reported illness from water-related failures," the report, which did not specify which water treatment plant had been breached, noted.

The incident, which has not been previously reported, is one of a growing number of cyberattacks on U.S. water infrastructure that have recently come to light. The Bay Area attack was followed by a similar one in Oldsmar, Florida, a few weeks later. In that one, which made headlines around the world, a hacker also gained access to a TeamViewer account and raised the levels of lye in the drinking water to poisonous levels. An employee quickly caught the computer's mouse moving on its own, and undid the hacker's changes... The usernames and passwords for at least 11 Oldsmar employees have been traded on the dark web, said Kent Backman, a researcher at the cybersecurity company Dragos...

[A] number of facilities have been hacked in the past year, though most draw little attention. In Pennsylvania, a state water warning system has reportedly alerted its members to two recent hacks at water plants in the state. In another previously unreported hack, the Camrosa Water District in Southern California was infected with ransomware last summer. Whether hacks on water plants have recently become more common or just more visible is impossible to tell, because there is no comprehensive federal or industry accounting of water treatment plants' security... Unlike the electric grid, which is largely run by a smaller number of for-profit corporations, most of the more than 50,000 drinking water facilities in the U.S. are nonprofit entities.

Some that serve large populations are larger operations with dedicated cybersecurity staff. But rural areas in particular often get their water from small plants, often run by only a handful of employees who aren't dedicated cybersecurity experts, said Bryson Bort, a consultant on industrial cybersecurity systems. "They're even more fragmented at lower levels than anything we're used to talking about, like the electric grid," he said. "If you could imagine a community center run by two old guys who are plumbers, that's your average water plant."

NBC News also a spokesperson for America's Cybersecurity and Infrastructure Security Agency, who shared an internal survey conducted earlier this year. As many as 1 in 10 water and wastewater plants reported they'd recently found a critical cybersecurity vulnerability — and more than 80% of their major vulnerabilities were software flaws discovered before 2017.
This discussion has been archived. No new comments can be posted.

Report: Hackers Breached More US Water Treatment Plants

Comments Filter:
  • Credentials of a former employer were used. Is it not protocol to deactivate accounts of all former employees? I mean, this isnâ(TM)t Florida where Hicks are running IT. This is SF where we are told the elites live. Like so many ha is, this is not a clever state attack funding my billions of Ruples. This is a basic failure of the people being attacked.
    • Even if we think someone will be back the next day, every account at my work gets its permissions stripped and the password scrambled into a mess nobody will remember if they leave for whatever reason. I work in car repair.

      • I occasionally have to explain to former employees that because they no longer work here, their email won't work anymore.
        One guy worked here for nearly 20 years and was quite upset when I gave him the bad news. Apparently it was "his" email address.
        • by bn-7bc ( 909819 )
          well en there you have the problem, employees need to understand the the company il they're assigned no more belongs to them than say the desk they work at, the fact that the email address isn't assigned to anyone else, (in contrast to the desk etc) on the sensation of their employment does not make it theirs. Maybe the addresses the corp it assigns should have no connection to the employs name, I doubt many beople will feel any ownership for employnumber@company.com, yourname@company.com however is a bit
          • by Anonymous Coward
            Yep, Putin is definitely 200% behind this. On his "off nights," he is actually in control of KGB Cyber Command. Fueled by White Russians Putin Style (coffee with vodka in lieu of creamer), he loudly hacks at a mechanical keyboard in a filthy, old Stalingrad decommissioned munitions factory in the late hours of the night. He stops to ponder for a minute--that Corsair backlit Soviet Control Panel of all those Cyrillic letters flashing from red to white to pink to blue to orange in some homosexual European fas
          • At the heart of that problem is not data but identity. If you rewind 20yrs, slowly you began using it to log into other sites. Over time this evolved to get tied to your netflix account, your online banking, and eventually 2FA. This gets even more complicated when your company provides your cellphone. Who wants to have to carry two phones around? So I can sympathize with the guy who had worked there 20+ years. All this shit tied to other shit all crept in over time. Its not like we knew Gmail would last, t
    • by PPH ( 736903 )

      This is SF where we are told the elites live.

      Hicks with money.

    • This is SF where we are told the elites live.

      If you're an IT guy at a water treatment plant, you're likely not an elite IT guy.

      • by GoTeam ( 5042081 )
        Unless they're all North Korean/Russian/Chinese (KRC for short since everything needs to be shortened) super elite IT guys that were planted by the new axis of evil to undermine our infrastructure right as the US tries to pass an infrastructure spending bill.

        Diabolical KRC, diabolical...
    • This is SF where we are told the elites live.

      Elite system admins are not running the water company computers.

      They are also not running the Bay Area consumer internet services, but that's a different story. Utah has better internet than we do.

    • Yeah, so it's not even a hack. It's a security breach. Maybe if people labelled these things correctly others might see them for what they are and help stop it. If management keeps seeing it as a technical problem (hack) and not a people problem, they won't even try to manage the people who are really responsible.
    • You have to connect the dots, but the reference to TeamViewer likely means this was not an authorized use of IT. Basically, the employee set up TeamViewer for his/her/etc. own convenience. Hence, when the employee left, all the normal credential policies were executed, but because no one knew about TeamViewer, it slid through the cracks. It's the Shadow IT problem. That said, they should have been checking for this, and by all means, should have employed the proper employee training (and consequences) to pr
  • Vendors scatter them through out their client bases. Once they are used for that support event they are usually just left running and forgotten. TeamViewer and support products like it ,are in themselves itself a security risk because it is often used with the aid of non IT individuals and rarely managed, updated or maintained.
    • Why the fuck are they even using teamviewer? At a minimum these machines should be behind a firewall, require the employees to VPN in and then just use RDP to connect to them.
  • Connecting to 10.22.35.112...
    Connection established.
    >User: Moron
    >Pass: youllneverguessthislol
    Welcome, Moron.
    >Set fluoride concentration to 2000%.
    OK.
    >Open sewage bypass valve.
    OK.
    >Start sewage pump.
    OK.
    >Increase output pressure by 1000%.
    OK.
    >quit
    Connection lost.

    • by Mspangler ( 770054 ) on Sunday June 20, 2021 @07:15PM (#61505118)

      As a board member on one of those small rural water systems, that won't work. We have no fluoride injection, no chlorination, and no sewage cross connect. (Everyone is on septic tanks.)

      If you hack into the PLC all you can do is turn off the pumps, or turn on the pumps, or send us spurious alarms.

      And the pumps have off-hand-auto switches so if the PLC screws up, I can flip the switches as needed. This has been known to happen, so we know Hand works.

      The middle level systems are more likely targets. They might actually have the systems you describe and not have the computer skills to secure them.

      • I understand your view I just wish they would build a verification system i.e. check's that are on a separate network the issue is often they build out this SCADA system and have no cheap one way independent system to verify the settings are applied.

      • by Monoman ( 8745 )

        Is nothing used to disinfect the water or is it done on the customer's side?

        • by Mspangler ( 770054 ) on Sunday June 20, 2021 @07:49PM (#61505202)

          It's from a deep well. There is nothing to disinfect.

          And we do the coliform test monthly, and the other tests as required. Nitrates are a bit high due to this being an agricultural area, but not high enough to do anything about. And we keep an eye on pesticides and herbicides. But it's good water.

        • by Pascoea ( 968200 ) on Sunday June 20, 2021 @07:52PM (#61505210)
          As a former user of well water: "Is nothing used to disinfect the water" correct. "or is it done on the customer's side" nope. Generally the only thing you'll see on a well system is a softener to deal with mineral hardness. Possibly a filter system to remove things like iron, particulates. But no ongoing chlorine, no fluoride, no nothing. (This from experience in the Upper Peninsula of Michigan, ymmv.) When we moved into the house we had the well tested, there was bacterial contamination. We dumped some bleach down the hole, let it sit for a couple days, then pumped a shit load of water out. We had it re-tested and things were back to acceptable levels. Generally the only time there is a concern is if the well sits idle.
          • by AmiMoJo ( 196126 )

            Can you recommend a good softener? The only things I see for domestic use are magnets (which don't work) and salt-based filters (which do work but add salt to the water and need a lot of it).

            I'm wondering what an industrial scale filter looks like.

            • by Pascoea ( 968200 )
              I don't have any first-hand experience with these, as the house I was referencing in my post just installed a one of the "salt based" softeners. But a buddy of mine has municipal water (I think) and it's god-awful, he just had a whole-house Reverse Osmosis (RO) system installed and claims it works really well. https://en.wikipedia.org/wiki/... [wikipedia.org]
              • by AmiMoJo ( 196126 )

                Thanks. My understanding was that you needed a separate water softener with your RO system but I will investigate further.

      • My city uses hydrofluorcilic acid in our water. Why can't someone hack in to save us from these idiots? If you want a corrosive neurotoxin it should be by your own consent and choice.

    • The boss says hey I want access from home so I don’t have to come in. Oh and make the password something easy.

      • All one has to do is open the tap in your kitchen to have access to the water supply. Most people do not realize that a tap and a toilet work both ways. Connect a pump between them and you can inject shit into the water main.
    • Ok now imagine the added security by preprocessing everything with ed:

      Connecting to 10.22.35.112...
      Connection established.
      >User: Moron
      >Pass: youllneverguessthislol
      Welcome to ed, Moron.
      Set fluoride concentration to 2000%.
      ?
      Open sewage bypass valve.
      ?
      Start sewage pump.
      ?
      Increase output pressure by 1000%.
      ?
      quit
      ?
      wtf
      ?
      help
      ?
      logout
      ?
      :(
      ?
    • Connecting to 10.22.35.112...
      Connection established...

      But when they find your body, it will have really strong teeth.

    • by bn-7bc ( 909819 )
      Hmm I'm not a water/usage treatment expert (no domain specific knowledge at all actually), but from a sw perspective the above example seams horrid, aren't there regulations in place, checks implemented in sw, stopping fluoride level adjustments/pressure adjustments these severe (unless ofc the base values are ridiculously low), if for no other reasons that to stop fat fingered mistakes?
      • Yes we have entry limits in the SCADA that would never allow such high dosages. Also most systems have a reservoir so it would take a while to ever increase the concentration. Also both analytical instrument measurement would alarm along with hourly lab tests by operators. Smaller plants however may be more vulnerable in all ways since they may not have dedicated 24/7/365 operators.
  • by blitz487 ( 606553 ) on Sunday June 20, 2021 @07:17PM (#61505122)

    "gained access to a TeamViewer account and raised the levels of lye in the drinking water to poisonous levels. An employee quickly caught the computer's mouse moving on its own"

    This is simply terrible systems design. A functioning system should never just let any of the controls be movable to the "poison" setting. Any dangerous settings must be physically blocked by the machinery, which should be adjustable only by an actual mechanic on site behind a locked gate.

    • by Anonymous Coward

      We used to have a security policy that you could not change any process setting unless you were at the time of the change located within the blast area of the equipment setpoint you were changing. That plus 3G security (Gates, Guards, Guns) is extremely effective.

  • "If you could imagine a community center run by two old guys who are plumbers, that's your average water plant." Boy, this kind of ageism is really surprising from such a "woke" organization (/.).
    • Re: (Score:3, Insightful)

      I've done a lot of work for organisations responsible for plant infrastructure and that freakishly accurately describes the staff.

      IT capable employees outside of the IT industry are rare. Hell - IT capable employees in the IT industry aren't exactly the rule either.

      You give most people the choice between secure and convenient they will take convenient until they get a shock.

  • by ugen ( 93902 ) on Sunday June 20, 2021 @07:31PM (#61505152)

    And that is why we can't beat Russia in this game. They barely have any water treatment plants, and those that exist are most certainly not connected to the global network (and, often, not even computerized). Low tech is best defense.

    • Re:Asymmetry (Score:5, Interesting)

      by Randseed ( 132501 ) on Sunday June 20, 2021 @07:39PM (#61505182)

      I don't know if you were being sarcastic, but you're obviously correct. If you go to Shodan, you can find gas stations all over the United States with poorly configured level monitoring systems. Basically, some joker sold a monitoring system that gas stations put onto their networks that, without any authentication whatsoever, responds to an incoming telnet with things like the amount of gas remaining in the tank, what kind it is, how much water contamination has been detected, and so on. This came in handy when Hurricane Harvey hit Texas and a bunch of psychos started a gas rush. I was able to sit in a hotel room and tell family members on the phone what out of the way gas stations still had gas in their areas. I forget the exact details of how to do the scan on Shodan, but you can probably find it easily enough.

      One interesting thing I found was a major medical center that had something insane like 10,000 gallons of jet fuel in an underground tank. (This is a place that's a major part of the National Disaster Medical System for Texas.) You have to figure that if all these places are leaking information like that, there's probably some idiotic design flaw to change the price of gas to $0.01/gal, or cripple the entire system by telling it that it's out of gas, or something else nefarious like just turning all the pumps off.

  • The hacker had the username and password

    In other news: I just hacked into my bank account using the username and password I had provided earlier.

  • This has been a potential issue for at least 16+ years ( longer really ). A few of us have been sounding the alarm at how exposed our SCADA systems are, and no one seemed to care.

    Now we have significant infrastructure out there with it's ass in the wind, and I doubt anyone fully appreciates the scope of the problem. Well, that's not true; I'm sure foreign actors know just how exposed we are, but none of the "good guys" do.

    • I wonder how good security is at things like the hoover dam. Single point failures so to speak. Imagine the problem the US would have if someone could remotely issue the command to open all gates. Drain the lake a few extra feet in a matter of minutes I imagine and AZ/CA/NV would see a whole new level of water problems. I imagine nuke plants are pretty tight, but how much stuff is out there that no one thinks is a target? Water treatment plants I doubt are high on the list of we need to lock that down tight
      • I've taken a tour of the Hoover Dam after 9/11. Based on what the tour guide said I'm pretty sure the Hoover Dam is not a weak point in the US's infrastructure.
  • The very *minimum* security involves things including:

    Use a firewall to:
    Block everything.
    Permit only the network traffic which is required.
    Sanity check what you allow.

    Use SSO via a remote user directory where you can disable everything for an employee with one action.
    Did I mention -- use a directory. LDAP, AD, Etc. Pick one, there are many.
    *Never* trust passwords alone.
    At minimum, two factor authentication is a must to access *any* critical system.
    There are three categories that can be used in 2fa.
  • by jdawgnoonan ( 718294 ) on Sunday June 20, 2021 @10:08PM (#61505480)
    It is unbelievable that anyone with any power ever actually believed that it was a good idea to connect this stuff to the Internet.
    • Because it's convenient and saves money. I say this based on a conversation I had with a person who has power to make these decisions.

      It's also moronic, but that's my opinion.

    • by thegarbz ( 1787294 ) on Monday June 21, 2021 @02:37AM (#61505836)

      Because driving all over the city to take measurements by hand is a bitch.
      It's the very real reality of modern infrastructure that it gets controlled in realtime over a large area. Somehow you have to pay for that network. Do you use an existing network, or do you build yourself your own network with blackjack and hookers, and get the public to pay for it?

      • by AmiMoJo ( 196126 )

        This. When the water company puts out a contract to build a new system, they specify remote control and data collection. They write "secure" on the spec and call it a day.

        The companies bidding to build these systems aren't going to suggest installing a dedicated network at great cost. They will leverage existing synergies by setting up RDP with a password. Maybe via VPN, it is 2021 after all.

        If it gets p0wned they will put out a press release about how "sophisticated state-level hackers" accessed their syst

  • Why is this stuff plugged into the internet?

    All this stupid narrative can be resolved - UNPLUG from the internet.

    If you REALLY need remote access, use leased lines - not the internet.

    Let's piss off with all this 'surveillance to make us safe' because it doesn't - and legislate that critical infrastructure cannot be connected to the internet in any way.

    • In the 90s you would laugh at the hacker movies because no one would ever connect stuff like this to the net.

      Sometime between now and then, everything ended up hooked to the netâ¦.

      • by AmiMoJo ( 196126 )

        Back in 1999 I was on dial-up. I noticed the LEDs on the modem flashing even though I was not sending any traffic. Looked at the packet dump and saw someone was pinging me.

        I tried opening up telnet to their address, and got a login prompt. Tried "admin" for user and password and get straight in. Poked around a bit, couldn't see anything interesting. It wasn't Unix, didn't seem to have any kind of help system or list of commands. Managed to display a list of what looked like relays.

        Anyway, got bored and trie

    • If you REALLY need remote access, use leased lines - not the internet.

      In other words, a VPN / Router you don't control.
      Leased lines are no longer as special as you think they are. These day's you're likely far better off with a standard internet connection but with carefully configured hardware firewall / routers on both ends.

      • I get that a "good" IT team could do as well or better than leased line, but that is not what happens. At least with the leased line, you get competent level of support. Not great, but competent. In these small essentially on a shoe string budget operations, you get incompetent. And here we are, another water treatment plant compromised. How many are? The current top story on /. is how NK needled their way into Bangladesh National bank and almost stole a billion dollars. My quick skim says they did pilfer 8
        • At least with the leased line, you get competent level of support.

          Speaking of things which don't happen...

          You put a bit too much faith in others.

          How many are? The current top story on /. is how NK needled their way into Bangladesh National bank and almost stole a billion dollars.

          Indeed. But if you want to talk about access to a leased line you don't need to look at something so sophisticated. You simply look to the countless stories of incredibly frigging basic social engineering attacks on network providers all to happy to change you account details on a whim.

          I think the amount of faith you place in a leased line is potentially quite dangerous. Kind of like airgapping. It is my experience that companies

          • So curious, can you give me a air-gap'ed system in the US that was compromised? The Iranians were compromised by the combined efforts of the CIA/IDF. Probably involved multiple spies that had to physical penetrate the facility at risk of death. Contrast that with the latest exploits in the US which very easily could have been done by someone anywhere in the world in the safety and comfort of their home. I think you are placing too much faith in those VPN's/Firewalls that have holes. Heck ssh had a hole a wh
  • and let politicians bollox the system like Flint.

"An idealist is one who, on noticing that a rose smells better than a cabbage, concludes that it will also make better soup." - H.L. Mencken

Working...