Poisoning Water?

Earlier this week, Reuters reported that someone was able to gain unauthorized access to a system through various attack surfaces such as weak and reused passwords, out-of-date systems, and vulnerable software.

We all know that certain government branches have less funding than others and a small municipal water treatment facility might not have the most up-to-date systems. It was reported by Engadget that the facility’s systems were running Windows 7, which hasn’t been updated or supported by Microsoft in over a year. TeamViewer, a remote desktop software, was not secured by a strong password and was brute-forced to allow unauthorized access. The systems were also connected directly to the internet without any firewalls, essentially leaving them exposed to the rest of the world. SCADA systems are typically on isolated networks but it didn’t seem like this was the case here.

The bad actor was able to remote in through TeamViewer and tried to increase the levels of sodium hydroxide, or lye, from 100 parts per million to 11,000 parts per million, essentially poisoning the water supply. Luckily, an employee was monitoring the system and was able to see the hack live, revert the changes made, and report to the authorities.

The scariest part of all of this is how easily a bad actor was able to exploit the system to commit a dangerous crime. A water treatment facility should have better security posture to implement defense in depth to avoid situations like these. I am fortunate enough to live in an area where I can drink tap water pretty safely, but events like these make me question the trust that I have.