You may have heard about the Florida water treatment plant that was hacked, and the attacker changed the levels of sodium hydroxide to fatal levels. Fortunately, it was immediately noticed by someone at the plant who changed it back before the attack had any impact. But how exactly did it happen?
The investigation is still underway, but experts suspect that two issues are the cause of the breach. They know the hackers accessed the water treatment plan via remote access software installed on computers at the plant so workers could run system checks and respond to issues remotely. Unfortunately, all of the computers at the water plant used the Windows 7 operating system.
Released in 2009, Microsoft supported it with security updates for more than a decade before finally ending support for it in January of 2020. Unfortunately, many businesses haven’t prepared for upgrades and are stuck on these obsolete, legacy systems. They are an easy target for hackers, especially because there are usually well-known backdoors that will never be patched.
Whether you’re a business owner or someone with a home computer, this is why it’s important to plan for system upgrades and regularly install security patches for both your software and hardware.
Not only was the water treatment plan running Windows 7, but every computer in the building shared the same password for remote access. So hackers only had to figure out a single password to get access to all of the computers at the plant. What’s unclear is how the attackers got the credentials to break in. While it’s possible they could have used a brute force attack – using a computer to try thousands of passwords a second – it’s likely they found the login and password within databases shared by hackers.
Data breaches make the news on a regular basis, but when you add them all up, over 10 billion accounts have been compromised, and hackers know you probably use the same login and password for most websites. A credential stuffing attack is when a hacker tries to use the stolen usernames and passwords from one breach to log into another website. That’s why it’s so important not to use the same login and password everywhere, because when one site gets breached, it puts all of your other accounts at risk.
If you want to check to see if your email, username or password was stolen in a breach, visit https://haveibeenpwned.com.
In the breach of the Florida water treatment plant, researchers found several names and passwords from a 2017 list of breached credentials and even more from a more recent list. So not only should they have used unique logins, but they could have change them when they knew they were breached.
You can run a check of your logins and passwords to see if they’ve been part of a breach, but it’s easier to use a password manager than can help you create strong, unique passwords for every site. Several password managers will also alert you if any of your information has popped up on a list of stolen credentials.
It’s fortunate that no one died as a result of the breach of the Florida water treatment plan… It’s also fortunate that we can walk away with a few lessons about basic security behaviors related to passwords and system upgrades and patches.