Hackers in Iran attack computer at Vero Utilities
STORY BY LISA ZAHNER (Week of December 14, 2023)
The Mideast war touched Vero early on Thanksgiving Day when an Israeli-made component that monitors and adjusts odor at the municipal wastewater treatment plant was attacked remotely by hackers in Iran.
Water-sewer Utility Director Rob Bolton told the Utilities Commission last week that the equipment called a programmable logic controller was taken over and briefly controlled by Iranian operators.
“The City of Vero Beach was the first one that was hacked in the United States” via the Israeli equipment, Bolton said. “It happened at 2 o’clock in the morning on Thanksgiving morning, so I got the phone call about it and we shut the system off.”
There was no ransomware injected into the system and no demands were made of the city by the hackers. The hacked component at the sewer plant also had no link to the city’s billing or customer data systems; its sole role at the plant was odor control.
Bolton, in consultation with the city’s Information Technology staff, reported the hack to state cybersecurity officials, and to Vero Beach Police Chief David Currey, who then reported the breach to the FBI. Cybersecurity specialists from the FBI came to Vero to investigate the hack of the plant on Black Friday.
The Israeli-made PLC is a commonly used, reliable product and has been in place at the city’s sewer plant for about 20 years.
The Iranians hacked into the equipment through an old T-Mobile cellular modem attached to the PLC. Bolton said the city had been given a free trial of a monitoring service on the PLC during the initial two-year warranty period, which used the T-Mobile modem to communicate back to a monitoring station.
When the free trial was up, Vero did not continue the monitoring service for a fee, because the plant’s control center monitored the device. But the modem was never removed when the monitoring service was discontinued, leaving a vulnerable portal.
The PLC itself comes with a password protection function, but Bolton said the default factory password had never been changed from 11111.
“Originally when the unit would come out, there was a password in there and if whoever programmed the unit never changed that password, then they (the hackers) were able to gain access,” Bolton said. “All they’ve gotta do is sit there and ping until they get a return and boom, they go right in.”
Fortunately, the odor-control PLC that was hacked was what Bolton called a “standalone” system that was easily shut down.
“It didn’t affect the unit, all it did was display a big, red banner more or less saying , ‘We are the Cyber Avengers and you have been hacked. Any Israeli-made product is our legal target,’” Bolton said.
Bolton said the T-Mobile modem and the PLC are now in FBI custody and the controller at the sewer plant has been replaced with a new one that arrived in early December.
“If it was a water plant, it would be a federal offense. It being a wastewater plant, it wasn’t a federal offense, but they didn’t really know what to do with it,” Bolton said of the state-level cybersecurity officials he reported the hack to.
But the FBI took the matter very seriously, he said.
“Whether it was wastewater or water it didn’t matter, they saw the vulnerability. If they can get into a wastewater plant, they can just as easily get into a water plant,” Bolton said.
The breach came up at the meeting only because the Town of Indian River Shores’ representative on the Utilities Commission, Shores Councilman Bob Auwaerter, had been doing cybersecurity research for the town and had been to a seminar in late November on the topic.
Auwaerter had also read news reports about Iranian hacks of Israeli-made utility equipment and was curious if Vero had anything at its plants that might be Israeli, and therefore vulnerable.
“Would we ever have found out if I hadn’t brought it up at the Utility Commission?” Auwaerter said after the Dec. 5 meeting.
Auwaerter told the Utilities Commission about Department of Homeland Security resources the city could use to test the utility systems more rigorously for ways that hackers could gain access. Auwaerter also informed the commission that due to a recent change in Florida Statute, municipalities are now permitted to have an executive session or “shade meeting” with staff addressing cybersecurity concerns outside of or exempt from Florida’s Sunshine laws.
In designing the new wastewater treatment plant, Bolton said the hacking experience will better inform him and the city’s IT and cybersecurity staff and consultants to make the new plant a much harder target.
No vendors will be permitted to have outside access to equipment in the new plant, and even Bolton will simply have “read-only” access to monitor the systems, not remote control capabilities.