Why is it fully automated, let alone connected to the internet with 0 security measures, in the first place?
It's fully automated because industrial scale water treatment isn't something you can reasonably do by hand. Even if setting up the system for remote access is necessary, I'd at least use the network firewall to block untrustworthy IP addresses (which still isn't foolproof, but at least forces an attacker to VPN into the US before even a valid password is accepted).
Should have required user input especially when levels are going to change outside of usual parameters.
The system shouldn't be able to just dump unsafe amounts of lye in without human oversight. It doesn't cost that much to hire an operator to essentially just watch the system
But the unprotected remote access is the main problem anyways
When the problem can be solved by Homer Simpson (wasn't that basically his job at the power plant? Watch for flashy lights and approve/click them?), then you have no excuse to not solve the problem that way until a better solution can be found.
Most modern water plants are 'fully' automated. You shouldn't be in the business if you aren't. The issue is always going to be poor security.
There are a LOT of hacks in the business. It's usually government workers, after all. I mean there are a LOT of dumbasses in the water and wastewater business, top to bottom. I live it.
And that includes IT departments as well you may need to rely on.
But in the end, it is almost impossible to harm downstream users from anything you could do hacking into a water plant. High chlorine? No one's going to drink that crap coming out of the tap.
In this article they're claiming it was caustic soda they tried to up the dose on though. That stuff doesn't have a particularly strong odor like chlorine and chlorites.
You'll taste it immediately sure and only a dumbass would swallow it, but depending on how high they can push the limits, it could still be a pretty rough day for anyone who burns the inside of their mouth, or the poor bastards who step in the shower and spray that stuff directly onto their face and eyes with no safe running water to wash it off with.
On the plus side, the pipes would get a nice clean though.
Earlier this week, we reported that hackers were trying to poison the water of 15,000 people in the town of Oldsmar in Florida, USA. This is done by attacking the software that controls the water supply and increasing the amount of sodium hydroxide, lye, in the water to dangerous levels.
Ars Technica now reports that the state of Massachusetts' cyber security department and the FBI have both concluded that the infested infrastructure had serious security flaws.
Running Windows 7
Among other things, the computers used will run Windows 7, an operating system that publisher Microsoft no longer supports and that has not received any new security updates in over a year.
Employees must also share one and the same password for Teamviewer, the program that the hacker used to gain remote access to the system. The computers with Teamviewer that have been connected to the internet must also have been without any kind of firewall.
According to Ars Technica, there is information that indicates that the authorities suspect that a former employee may be behind the intrusion.
Doesn't the military run its own Windows XP version that it has been updating on its own dime, because it is safer and better than anything after it? Or is that just an urban myth?
They did, as of 2015. Don't know if they still do.
And it's not necessarily that it's "safer" and "better" but they likely have a bunch of software that they either can't get to run on newer versions or they aren't able to qualify on newer versions. This happens a lot in regulated industries too, where it becomes cost prohibitive to qualify upgrades to systems to run on the newer OS-es, so it doesn't get done.
I know State Department still has 2003 servers running around the network somewhere. Legacy systems and incompetent management are a fucking security scourge.
This is my business and I'm going to call bullshit on anything but some dumbass screwing up and blaming hacking.
It's a community of 15k that shouldn't even be in the water production business when a large city surrounds them. I guarantee their income can't afford the infrastructure or quality of staff to be doing what they are doing.
They claimed the normal chlorine dose is 100ppm. No one doses chlorine to that going into a water supply AND a system this size would have not even had pumps that would go up to what they claimed it went to; 11,100 ppm.
I see this all the time. Some dumbass screws up and they make up some BS. You'll never hear what really happened but they always get to the bottom of it.
Your greatest threat are your own dumbass staff, management that doesn't care or get you the funding or technical support you need, and former disgruntled staff you didn't lockout.
Why is it fully automated, let alone connected to the internet with 0 security measures, in the first place?
Uncle Ted is right. Technology was a mistake
Here's an English article on the same incident
It's fully automated because industrial scale water treatment isn't something you can reasonably do by hand. Even if setting up the system for remote access is necessary, I'd at least use the network firewall to block untrustworthy IP addresses (which still isn't foolproof, but at least forces an attacker to VPN into the US before even a valid password is accepted).
Should have required user input especially when levels are going to change outside of usual parameters.
The system shouldn't be able to just dump unsafe amounts of lye in without human oversight. It doesn't cost that much to hire an operator to essentially just watch the system
But the unprotected remote access is the main problem anyways
When the problem can be solved by Homer Simpson (wasn't that basically his job at the power plant? Watch for flashy lights and approve/click them?), then you have no excuse to not solve the problem that way until a better solution can be found.
Exactly
agriculture was a mistake
RETVRN TO MONKE
the primitive technology guy looks like he is doing pretty well
*Megaman Battle Network intensifies *
https://kotakuinaction2.win/p/12hRLbuAad/x/c/4Dx4eWTPxLj
There are a LOT of hacks in the business. It's usually government workers, after all. I mean there are a LOT of dumbasses in the water and wastewater business, top to bottom. I live it.
And that includes IT departments as well you may need to rely on. But in the end, it is almost impossible to harm downstream users from anything you could do hacking into a water plant. High chlorine? No one's going to drink that crap coming out of the tap.
You say that but people kept drinking the water in Flint, even after saying it came out brown or foul smelling.
Flint's main problem was lead. You don't taste that.
The smell of chlorine is 1 to 1 related to dosage.
This is my business, internet 'acktually' guy.
In this article they're claiming it was caustic soda they tried to up the dose on though. That stuff doesn't have a particularly strong odor like chlorine and chlorites.
You'll taste it immediately sure and only a dumbass would swallow it, but depending on how high they can push the limits, it could still be a pretty rough day for anyone who burns the inside of their mouth, or the poor bastards who step in the shower and spray that stuff directly onto their face and eyes with no safe running water to wash it off with.
On the plus side, the pipes would get a nice clean though.
Translation for the non borkborks
Doesn't the military run its own Windows XP version that it has been updating on its own dime, because it is safer and better than anything after it? Or is that just an urban myth?
They did, as of 2015. Don't know if they still do.
And it's not necessarily that it's "safer" and "better" but they likely have a bunch of software that they either can't get to run on newer versions or they aren't able to qualify on newer versions. This happens a lot in regulated industries too, where it becomes cost prohibitive to qualify upgrades to systems to run on the newer OS-es, so it doesn't get done.
I know State Department still has 2003 servers running around the network somewhere. Legacy systems and incompetent management are a fucking security scourge.
there's probably some mission-critical system that they're unable or unwilling to replace.
This is my business and I'm going to call bullshit on anything but some dumbass screwing up and blaming hacking.
Your greatest threat are your own dumbass staff, management that doesn't care or get you the funding or technical support you need, and former disgruntled staff you didn't lockout.
I can’t wait for joe to make trade ‘sanctions’ on China where a third party country will buy the Chinese shit and sell it to us at a markup.