Hackers Attack Water Treatment Plant by Exploiting Vulnerability in Unsupported Operating System
On January 14, 2020, Microsoft ended all support for the Windows 7 operating system. One year later, that means the legacy OS is no longer backed by Microsoft’s technical support, software updates, or security patches—and security experts have identified vulnerabilities in the software that are now being exploited.
A recent joint cybersecurity advisory issued by the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Environmental Protection Agency (EPA) warns companies about using outdated Windows 7 systems, particularly with desktop sharing software and weak account passwords.
The specific alert comes after an unidentified hacker attacked a water treatment plant in Florida, gaining access to the plant’s network through Windows 7 and a remote access program called TeamViewer. The hacker then took over a user’s mouse and modified chemical dosages of sodium hydroxide to dangerous levels—luckily, the user noticed the unusual activity, readjusting the dose to guarantee uninterrupted operations and immediately alerting IT security.
Still, the attack raises big questions about the vulnerabilities of sticking with Windows 7. A newsworthy event like this is inevitable after a popular operating system reaches its “end of life” stage, where unsupported computers become far more susceptible to infection from viruses, malware, and ransomware. We saw it in the aftermath of Windows XP’s “end of life,” when the WannaCry ransomware strain spread across the globe. We’ll no doubt see it again as more bad actors take advantage of similar vulnerabilities in Windows 7—and as remote access tools become more commonplace a year into the COVID-19 pandemic.
What can you do to keep your business safe?
Windows 7’s market share didn’t plummet immediately last year when support for it ended. But usage of the legacy operating system has fallen by half—35% of all PCs were still using Windows 7 in January 2020, while only 17% were still using it in January 2021. Here’s what CMIT Solutions suggests if Windows 7 still powers any of your company’s machines.
1) Identify an upgrade path for every machine still on Windows 7.
According to Microsoft, the path to safety is simple: “the best way for you to stay secure is on Windows 10.” The tech giant’s latest operating system offers faster start-up times, built-in security, and a user-friendly interface. Of course, not everyone is ready, willing, or able to move to a new OS.
2) Work with a trusted business partner to assess your existing hardware.
The tech requirements for installing Windows 10—a processor faster than 1 GHz, at least 1 GB of RAM, 16 GB of hard disk space, and 800 x 600 resolution—may necessitate the purchase of new equipment. The general rule of thumb for computers is that anything more than three years old should probably be replaced. If a machine is less than two years old, it can probably handle an upgrade to Windows 10. This scenario will differ from business to business, which is why it’s so important to work with a trusted IT provider for a comprehensive and objective look at your tech ecosystem.
3) Pay attention to your data backups.
Whether you decide to upgrade to Windows 10 on existing equipment, purchase new computers, or even stick with Windows 7, make sure all of your important files and information are safely, securely backed up—ideally to a remote location. Regular data backups won’t prevent data breaches, network intrusions, and other problems, but they can at least help to mitigate threats and vulnerabilities.
4) Understand the threat of sticking with Windows 7.
Even after assessing the situation, many companies will need to stick with the old operating system. (The Florida water treatment plant mentioned above was still using it in the aftermath of the attack!) Maybe you have legacy accounting or data management software that will only run on Windows 7. Budgetary concerns, particularly after such a challenging year for small businesses, may make any upgrade cost-prohibitive. But as security threats related to Windows 7 continue to increase, the threat to your company’s day-to-day operations will increase, as well.
5) Can't upgrade a machine? Isolate it.
If you do need to keep using a computer with Windows 7, make sure it is isolated from the rest of your office network and disconnected from the Internet when possible. Increase the strength of the password protecting it, and make sure it does not have any version of remote access software installed on it. This may require an IT provider to scan it for vulnerabilities. The bottom line is that you should proceed with extreme caution if you are going to continue to use a Windows 7 machine.
6) Educate your employees.
In addition to upgrading to Windows 10 and heightening IT protection, the moral of the water treatment plant attack is that an alert employee saved the day. Training your employees to identify malware, ransomware, phishing, and other unusual activities gives your company an extra first line of defense that’s bolstered by other user-specific enhancements like multi-factor authentication and single sign-on.
CMIT Solutions has helped thousands of businesses navigate end-of-life software scenarios like this one, and we understand what businesses need to survive and thrive in today’s challenging cybersecurity environment. It’s never easy to move on from a longtime legacy operating system like Windows 7—but it also isn’t safe to keep using an unsupported OS.
If you think your company is susceptible, contact CMIT Solutions today. We assess your company’s current IT environment and identify key vulnerabilities that need to be fixed. Then, we work with you to develop a long-term strategy for success that avoids problems like this in the future.