US Water Utilities Hacked After Default Passwords Set to '1111', Cybersecurity Officials Say

An anonymous reader shared this report from Fast Company:

Providers of critical infrastructure in the United States are doing a sloppy job of defending against cyber intrusions, the National Security Council tells Fast Company, pointing to recent Iran-linked attacks on U.S. water utilities that exploited basic security lapses [earlier this month]. The security council tells Fast Company it's also aware of recent intrusions by hackers linked to China's military at American infrastructure entities that include water and energy utilities in multiple states.

Neither the Iran-linked or China-linked attacks affected critical systems or caused disruptions, according to reports.

'We're seeing companies and critical services facing increased cyber threats from malicious criminals and countries,' Anne Neuberger, the deputy national security advisor for cyber and emerging tech, tells Fast Company. The White House had been urging infrastructure providers to upgrade their cyber defenses before these recent hacks, but 'clearly, by the most recent success of the criminal cyberattacks, more work needs to be done,' she says... The attacks hit at least 11 different entities using Unitronics devices across the United States, which included six local water facilities, a pharmacy, an aquatics center, and a brewery...

Some of the compromised devices had been connected to the open internet with a default password of '1111,' federal authorities say, making it easy for hackers to find them and gain access. Fixing that 'doesn't cost any money,' Neuberger says, 'and those are the kinds of basic things that we really want companies urgently to do.' But cybersecurity experts say these attacks point to a larger issue: the general vulnerability of the technology that powers physical infrastructure. Much of the hardware was developed before the internet and, though they were retrofitted with digital capabilities, still 'have insufficient security controls,' says Gary Perkins, chief information security officer at cybersecurity firm CISO Global. Additionally, many infrastructure facilities prioritize 'operational ease of use rather than security,' since many vendors often need to access the same equipment, says Andy Thompson, an offensive cybersecurity expert at CyberArk. But that can make the systems equally easy for attackers to exploit: freely available web tools allow anyone to generate lists of hardware connected to the public internet, like the Unitronics devices used by water companies.

'Not making critical infrastructure easily accessible via the internet should be standard practice,' Thompson says.

Read more of this story at Slashdot.