Security Experts:

U.S. Gov Warning on Water Supply Hack: Get Rid of Windows 7

On the heels of last week’s lye-poisoning attack against a small water plant in Florida, the U.S. government’s cybersecurity agency is pleading with critical infrastructure defenders to rip-and-replace Windows 7 from their networks as a matter of urgency.

The government’s latest appeal, issued via a joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA), comes amidst reports that the remote hack of the water plant near Tampa Bay was being blamed on poor password hygiene and attacks on systems running Microsoft’s out-of-service Windows 7 operating system. In addition to running Windows 7 on computers at the plant, all devices used the same password for remote access.

Microsoft ended support for Windows 7 more than a year ago but, as cybersecurity experts warn on a nonstop basis, the plants and factories that run critical infrastructure are very slow to migrate to newer operating systems. 

This means that unless organizations purchase an Extended Security Update (ESU) plan from Microsoft, security patches for remote, code-execution vulnerabilities will remain unpatched.  The ESU is a per-device plan available for Windows 7 Professional and Enterprise versions, with an increasing price the longer a customer continues use. 

[ Learn more about threats to industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series ]

More ominously, Microsoft will only offer the ESU plan until January 2023, meaning that any tardy organization lagging with OS migration plans will be sitting duck for dangerous hacker attacks.

“Continued use of Windows 7 increases the risk of cyber actor exploitation of a computer system. Cyber actors continue to find entry points into legacy Windows operating systems and leverage Remote Desktop Protocol (RDP) exploits,” the agency warned.  “Since the end of July 2019, malicious RDP activity has increased with the development of a working commercial exploit for the vulnerability. Cyber actors often use misconfigured or improperly secured RDP access controls to conduct cyberattacks.”

In its bulletin, the agency all but confirmed public reports that the TeamViewer software was used to gain unauthorized access to the system. “The cyber actors likely accessed the system by exploiting cybersecurity weaknesses, including poor password security, and an outdated operating system,” the agency said, repeating urgent warnings that these present a perfect playbook and roadmap into sensitive networks.

[RELATED: Remote Hacker Caught Poisoning Florida City Water Supply ]

As SecurityWeek previously reported, the hack was spotted on February 5th -- and neutralized -- in real time by staff at the plant that supplies water to Oldsmar, a small city close to Tampa, Florida.

Local law enforcement officials said an unknown adversary hacked into the plant remotely and attempted to elevate levels of levels of sodium hydroxide by a factor of more than 100. 

Sodium hydroxide, also known as lye, controls the acidity in potable water but elevated levels maliciously added to water supply can cause physical harm to the public.

The joint-advisory contains specific mitigation recommendations to harden ICS/SCADA networks across the country. These include:

• Update to the latest version of the operating system (e.g. Windows 10). 

• Use multiple-factor authentication. 

• Use strong passwords to protect Remote Desktop Protocol (RDP) credentials. 

• Ensure anti-virus, spam filters, and firewalls are up to date, properly configured and secure.

• Audit network configurations and isolate computer systems that cannot be updated. 

• Audit your network for systems using RDP, closing unused RDP ports, applying multiple-factor authentication wherever possible, and logging RDP login attempts.

• Audit logs for all remote connection protocols. 

• Train users to identify and report attempts at social engineering. 

• Identify and suspend access of users exhibiting unusual activity.

In addition to ditching Windows 7, the agency urged network defenders to lock down TeamViewer desktop-sharing software and ensure proper password hygiene and rules are employed.

RelatedSecurity Industry Reacts to U.S. Water Plant Hack: Feedback Friday

Related: Iranian Hackers Access Unprotected ICS at Israeli Water Facility

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.