NewsLocal NewsI-Team Investigations

Actions

FBI: Water system hack likely caused by remote access program, old software and poor password security

White House says more cybersecurity needed
oldsmar water treatment plant
Posted at 5:46 PM, Feb 10, 2021
and last updated 2021-02-10 17:46:46-05

OLDSMAR, Fla. — The FBI is putting water systems on alert after cybercriminals hacked into the Oldsmar city water system and attempted to make dangerous changes.

The I-Team has uncovered new details about how it happened and what authorities say local communities can do to better protect their water supplies.

“The mouse was moving around on the computer screen of someone working at the plant who could see it happen,” said retired FBI computer scientist Randy Pargman, who now works as a security consultant.

He was describing how the cyberattack on Oldsmar’s water system was first detected last Friday.

RELATED: Hacker attempted to change chemical levels at Oldsmar water treatment plant

In a report released to water system operators, the FBI said the hackers likely “accessed the system by exploiting cybersecurity weaknesses including poor password security, and an outdated Windows 7 operating system.”

“Basically they took advantage of a very simple remote log-in program called “Team Viewer” that was set up for someone to do legitimate work at the plant.

Using that program, they were able to change the sodium hydroxide level from 100 parts per million to 11,000 thousand parts per million, an amount that could potentially harm local residents.

“This is obviously a significant and potentially dangerous increase. Sodium hydroxide, also known as lye, is the main ingredient in drain cleaner,” said Pinellas County Sheriff Bob Gualtieri at a press conference Tuesday.

“A lot of these remote access systems are designed to get around the security features we have on networks. It’s kind of why they exist,” said cybersecurity expert Alex Hamerstone.

Hamerstone says remote access programs are often used by smaller utility companies with small staffs.

Records from the Florida Public Service Commission show the state has 115 independent water districts, in addition to municipal and county water providers.

“Absolutely it’s understandable with the small staff. You need to outsource things to vendors who need access,” said Hamerstone.

And he says often you only need a username and password to do all kinds of damage.

“If the computer they’re able to access is also able to make changes to the water supply or anything else, they have that full access,” Hamerstone said.

The Oldsmar water system had redundant security features to prevent the public from being harmed. But concern over the attack has even reached the White House.

“The President, the Vice President, members of our national security team are focused on elevating cybersecurity as a threat that has only increased,” said White House Press Secretary Jen Psaki, during a briefing Tuesday.

“There are some simple steps that people can take. It might be as simple as choosing a better password or using two-factor authentication, “ said Pargman.

“We certainly hope that a near-miss will lead to the kind of changes and at least some new rules and systems and programs to prevent this,” said Hamerstone.

If you have a story you think the I-Team should investigate, email us at adam@abcactionnews.com