According to the state of Massachusetts, employees of the Oldsmar water treatment plant shared a TeamViewer password to log in to an unfirewalled Windows 7 machine to remotely access Supervisory Control and Data Acquisition (SCADA) systems.
These shortcomings show the lack of rigor towards security in critical infrastructure.
Massachusetts officials wrote:
“The unidentified actors accessed the water treatment plant’s SCADA controls via remote access software, TeamViewer, which was installed on one of several computers the water treatment plant personnel used to conduct system status checks and to respond to alarms or any other issues that arose during the water treatment process.”
The hacker was able to increase the amount of sodium hydroxide in the water by a factor of 100. Had this been undetected, it could have resulted in severe illness or death.