Did you hear about how a Florida water treatment plant was hacked, and how a crisis was stopped? On February 5th, the cybersecurity incident occurred and was stopped before anyone got hurt. The town of Oldsmar fell victim to a cybersecurity attack that allowed the hacker access to services that would allow for the increase or decrease of needed chemicals to keep drinking water safe. The frightening part of this story is they actually did increase the sodium hydroxide to a toxic level. Thankfully a plant operator was observant and was able to remediate the sodium hydroxide levels within minutes, averting a crisis.
How did this happen?
The operating system being used by Oldsmar is Windows 7, which saw its “end of life” on January 14, 2020, over a year ago. End of life for an operating system usually implies there will no longer be any updates, which includes security updates. Microsoft generally gives several years of notice prior to ending support of their operating systems, so that way it does not come as a surprise.
Updating critical infrastructure like that in Oldsmar is not always an easy task. There are oftentimes high cost factors, incompatible software, lack of expertise to perform upgrades, and any other number of reasons. It is important to either update to the new operating system or to put in more layers of security.
Speaking layers of security, firewalls are just that! In this case, remote access was allowed and devices connected directly to the internet, exposed for hackers to find. They also did not have a firewall in place to prevent unauthorized access. Sometimes remote access is important and needed. There are steps that can be done to help lower your risk while allowing remote access. They could have considered deploying a VPN (virtual private network) that assigns specific IP addresses to those who need to access the device remotely. From there a firewall could have stopped all other traffic except for those few verified IP addresses from entering the network, this would allow for the workers to do what they need to do while minimizing the chances someone else gets access. This would also generate logs of who and when someone accessed the device.
Lastly, it was reported the users all shared the same password for remote access. Passwords should very rarely be shared and almost never for any critical systems. When using shared passwords you lose the ability to audit who actually logged in and made changes.
Here at Security Bytes, we consider Updates, Firewalls (network protection), and strong Passwords to be must haves for all small businesses. Somethings in security can be negotiated, but these should almost never be. By having these must haves in place, a small business is well on the road to strong cybersecurity.
For more information on cybersecurity check out Small Business, Big Threat for more.