5 important lessons from the water treatment plant hack in Florida

You may have heard about the water treatment plant in Florida that was hacked in the run up to the Super Bowl. The plant in Oldsmar, Fla., was hacked by cyber criminals who then tried to change the level of chemicals in the water supply to poisonous levels. The incident was caught almost immediately and no one was hurt. But it was still horrifying and it has raised serious questions about the cybersecurity of facilities like this.

As more details are revealed, the more horrifying the picture becomes, especially from a cybersecurity perspective. A report last week from Gizmodo revealed a number of shocking security oversights. The plant was running Windows 7 (<— not a typo). It didn’t have basic protections like a firewall. The plant’s employees were accessing the system through another program called TeamViewer, and employees were sharing a single shared password to that program. (That would be four strikes, if you’re counting.)

But we can learn from this and use it as a tale of caution for all businesses – whether you treat water or sell tacos. Here are five key lessons from this incident in Oldsmar (which was roughly 30 miles from the stadium where the Super Bowl was being played).

1.  Hackers pick targets of all sizes. At the risk of sounding like a broken record, it’s important to understand that hackers target businesses of all sizes. Like the lowly and unassuming water plant, your small business may actually be more at risk than big companies. Remember that the biggest companies in your area have teams of IT professionals protecting their stuff, and they have systems, tools and protocols for identifying security risks. They are also used to being targets of all kinds of criminal activity. Small businesses like yours are less-obvious targets than big corporations, and they also tend to be a lot less prepared.

2. Hackers pick the easiest targets. Remember the behavior of the hackers themselves. At their core, hackers are lazy. They pick the easiest target and the one with the fewest hurdles to gain entry. If you’ve made it easy by letting your security lag (or not instituting security in the first place), don’t be surprised if the hackers target you. Just like thieves who look for cars that are unlocked because they are easier to vandalize than vehicles that have been locked, cyber criminals look first for targets that have left their virtual doors and windows wide open.
   

3. Poor password management made it easy. The plant had multiple employees accessing the same system using one single account and one shared password. This is a no-no for several reasons. In addition to being a major security red flag, it also causes another problem. If all of your employees log in through a single set of login credentials, there is zero accountability and zero accurate recordkeeping. If you have an incident arise, it may be impossible to know which employee took a specific action or was logged in at a specific time – ultimately you won’t know who was accountable.

4.  Poor technology made it even easier. Two points here:

   • The plant was running Windows 7. WINDOWS 7. Windows 7 was released in 2009 and is so old that Microsoft doesn’t support it anymore. Technology is always technology, but the hackers are always trying to beat the technology. But don’t give them a leg up by using technology that is archaic. If you haven’t updated your company’s software in many years or (red flag!) if your software is so old that it is no longer supported by the company that issued it, it’s time for an upgrade. Yes, it’s expensive. But the ramifications of using out-of-date software can be more expensive in the long run.

   • In addition, the hacker got in through a third-party system connected to the plant’s controls. This is incredibly common as third-party systems and apps very frequently have far less security than major operating systems. Think of it like the difference between smashing a kid’s piggy bank versus breaking into a bank vault. Companies must be very mindful of the security of these third-party systems that are connected to other major systems. These are often the very virtual doors and windows hackers climb through – and they are very often not locked.

5. They were lucky. According to reports, the incident at the water plant was caught quickly in part because an employee literally watched the hackers get into the system and try to make changes on his work terminal live as it was happening. But what if he’d been in the bathroom or on a smoke break? The plant got pretty lucky. But you absolutely can’t count on luck to save your business from criminals. The same way you have insurance to protect against a physical break in, do some due diligence and put some security measures in place. It’s like insurance against cyber criminals, and it’s definitely worth your time. Read more about proper social media governance on my site here.