Security Experts:

Connect with us

Hi, what are you looking for?



U.S. Gov Warning on Water Supply Hack: Get Rid of Windows 7

On the heels of last week’s lye-poisoning attack against a small water plant in Florida, the U.S. government’s cybersecurity agency is pleading with critical infrastructure defenders to rip-and-replace Windows 7 from their networks as a matter of urgency.

On the heels of last week’s lye-poisoning attack against a small water plant in Florida, the U.S. government’s cybersecurity agency is pleading with critical infrastructure defenders to rip-and-replace Windows 7 from their networks as a matter of urgency.

The government’s latest appeal, issued via a joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA), comes amidst reports that the remote hack of the water plant near Tampa Bay was being blamed on poor password hygiene and attacks on systems running Microsoft’s out-of-service Windows 7 operating system. In addition to running Windows 7 on computers at the plant, all devices used the same password for remote access.

Microsoft ended support for Windows 7 more than a year ago but, as cybersecurity experts warn on a nonstop basis, the plants and factories that run critical infrastructure are very slow to migrate to newer operating systems. 

This means that unless organizations purchase an Extended Security Update (ESU) plan from Microsoft, security patches for remote, code-execution vulnerabilities will remain unpatched.  The ESU is a per-device plan available for Windows 7 Professional and Enterprise versions, with an increasing price the longer a customer continues use. 

[ Learn more about threats to industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series ]

More ominously, Microsoft will only offer the ESU plan until January 2023, meaning that any tardy organization lagging with OS migration plans will be sitting duck for dangerous hacker attacks.

“Continued use of Windows 7 increases the risk of cyber actor exploitation of a computer system. Cyber actors continue to find entry points into legacy Windows operating systems and leverage Remote Desktop Protocol (RDP) exploits,” the agency warned.  “Since the end of July 2019, malicious RDP activity has increased with the development of a working commercial exploit for the vulnerability. Cyber actors often use misconfigured or improperly secured RDP access controls to conduct cyberattacks.”

In its bulletin, the agency all but confirmed public reports that the TeamViewer software was used to gain unauthorized access to the system. “The cyber actors likely accessed the system by exploiting cybersecurity weaknesses, including poor password security, and an outdated operating system,” the agency said, repeating urgent warnings that these present a perfect playbook and roadmap into sensitive networks.

[RELATED: Remote Hacker Caught Poisoning Florida City Water Supply ]

As SecurityWeek previously reported, the hack was spotted on February 5th — and neutralized — in real time by staff at the plant that supplies water to Oldsmar, a small city close to Tampa, Florida.

Local law enforcement officials said an unknown adversary hacked into the plant remotely and attempted to elevate levels of levels of sodium hydroxide by a factor of more than 100. 

Sodium hydroxide, also known as lye, controls the acidity in potable water but elevated levels maliciously added to water supply can cause physical harm to the public.

The joint-advisory contains specific mitigation recommendations to harden ICS/SCADA networks across the country. These include:

• Update to the latest version of the operating system (e.g. Windows 10). 

• Use multiple-factor authentication. 

• Use strong passwords to protect Remote Desktop Protocol (RDP) credentials. 

• Ensure anti-virus, spam filters, and firewalls are up to date, properly configured and secure.

• Audit network configurations and isolate computer systems that cannot be updated. 

• Audit your network for systems using RDP, closing unused RDP ports, applying multiple-factor authentication wherever possible, and logging RDP login attempts.

• Audit logs for all remote connection protocols. 

• Train users to identify and report attempts at social engineering. 

• Identify and suspend access of users exhibiting unusual activity.

In addition to ditching Windows 7, the agency urged network defenders to lock down TeamViewer desktop-sharing software and ensure proper password hygiene and rules are employed.

RelatedSecurity Industry Reacts to U.S. Water Plant Hack: Feedback Friday

Related: Iranian Hackers Access Unprotected ICS at Israeli Water Facility

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


Siemens and Schneider Electric address nearly 100 vulnerabilities across several of their products with their February 2023 Patch Tuesday advisories.


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).