It didn’t seem hard. The hacker had the username and password for a former employee’s TeamViewer account, a popular program that lets users remotely control their computers, according to a private report compiled by the Northern California Regional Intelligence Center in February and seen by NBC News. After logging in, the hacker, whose name and motive are unknown and who hasn’t been identified by law enforcement, deleted programs that the water plant used to treat drinking water.
The hack wasn’t discovered until the following day, and the facility changed its passwords and reinstalled the programs. “No failures were reported as a result of this incident, and no individuals in the city reported illness from water-related failures,” the report, which did not specify which water treatment plant had been breached, noted.
The incident, which has not been previously reported, is one of a growing number of cyberattacks on U.S. water infrastructure that have recently come to light. The Bay Area attack was followed by a similar one in Oldsmar, Florida, a few weeks later. In that one, which made headlines around the world, a hacker also gained access to a TeamViewer account and raised the levels of lye in the drinking water to poisonous levels. An employee quickly caught the computer’s mouse moving on its own, and undid the hacker’s changes… The usernames and passwords for at least 11 Oldsmar employees have been traded on the dark web, said Kent Backman, a researcher at the cybersecurity company Dragos…
[A] number of facilities have been hacked in the past year, though most draw little attention. In Pennsylvania, a state water warning system has reportedly alerted its members to two recent hacks at water plants in the state. In another previously unreported hack, the Camrosa Water District in Southern California was infected with ransomware last summer. Whether hacks on water plants have recently become more common or just more visible is impossible to tell, because there is no comprehensive federal or industry accounting of water treatment plants’ security… Unlike the electric grid, which is largely run by a smaller number of for-profit corporations, most of the more than 50,000 drinking water facilities in the U.S. are nonprofit entities.
Some that serve large populations are larger operations with dedicated cybersecurity staff. But rural areas in particular often get their water from small plants, often run by only a handful of employees who aren’t dedicated cybersecurity experts, said Bryson Bort, a consultant on industrial cybersecurity systems. “They’re even more fragmented at lower levels than anything we’re used to talking about, like the electric grid,” he said. “If you could imagine a community center run by two old guys who are plumbers, that’s your average water plant.”
NBC News also a spokesperson for America’s Cybersecurity and Infrastructure Security Agency, who shared an internal survey conducted earlier this year. As many as 1 in 10 water and wastewater plants reported they’d recently found a critical cybersecurity vulnerability — and more than 80% of their major vulnerabilities were software flaws discovered before 2017.
Read more of this story at Slashdot.