Back to Intelligence

The Hidden Risk of Fragmented RMM: What the Oldsmar Water Hack Teaches Us About Remote Access

SA
AlertMonitor Team
June 8, 2026
6 min read

The U.S. energy sector is pouring trillions into modernizing the grid, yet a fundamental vulnerability remains: decades-old operational technology managed with outdated security practices. The 2021 hack of the Oldsmar, Florida water system is a cautionary tale for every IT professional. An attacker gained access to a Windows control station simply because a remote desktop service was left enabled with shared credentials and poor password hygiene.

While you might not be managing a municipal water plant, the underlying operational failure is likely familiar to you. It is the gap between seeing a problem and fixing it securely.

The Problem: Tool Sprawl Creates Security Gaps

In the Oldsmar incident, the failure wasn't just a weak password; it was a failure of management context. The remote desktop tool was likely a "set it and forget it" solution, disconnected from the visibility of the network operations team.

For IT departments and MSPs, this manifests daily as tool sprawl. You use one tool to ping the server (monitoring), a completely different console to remote into the endpoint (RMM), and a third platform to log the ticket (helpdesk).

This fragmentation creates dangerous blind spots:

  • Context Switching Delays: When a critical alert fires for a Windows Server, a technician has to stop, find the IP, open their RMM client, establish a connection, and log in. Every minute spent switching tabs is a minute the system is vulnerable or offline.
  • Shadow IT Access: Because native monitoring tools often lack robust remote control, techs often install third-party remote access tools (like TeamViewer or RDP wrappers) to speed up their work. These frequently go unpatched and unmonitored—exactly the vulnerability exploited in Oldsmar.
  • Siloed Credentials: Managing separate credentials for your monitoring dashboard and your remote access tools leads to password fatigue. When technicians are rushed, they reuse passwords or stick with default creds to save time.

The result isn't just frustration; it is a widened attack surface and slower Mean Time to Resolution (MTTR).

How AlertMonitor Solves This

AlertMonitor eliminates the "swivel-chair" routine by embedding enterprise-grade RMM and Remote Management directly into the monitoring console. We don't just alert you that a service is down; we give you the secure, authenticated tools to fix it without leaving the screen.

Unified Workflow

In a traditional environment, an alert about a stopped Windows Spooler service requires:

  1. Receive alert via email or Slack.
  2. Log into Monitoring Tool A to confirm.
  3. Log into RMM Tool B to remote into the server.
  4. Open a command prompt and restart the service.
  5. Log into Helpdesk Tool C to close the ticket.

In AlertMonitor, the workflow is:

  1. Receive alert in the NOC dashboard.
  2. Click "Run Script" or "Remote Control" directly from the alert timeline.
  3. The action executes immediately, and the result is logged against the asset automatically.

Secure, Audited Access

AlertMonitor’s remote sessions run through our secure gateway. You don't need to open RDP ports (TCP 3389) to the internet, nor do you need to deploy standalone third-party agents that might be abandoned. Every remote session and script execution is logged in the same timeline as your CPU and memory metrics. If someone remotes into a workstation at 2 AM, you see it right alongside your bandwidth alerts.

Practical Steps: Secure Your Remote Management Today

The goal is to move away from ad-hoc remote access and toward scripted, audited remediation. Here is how you can use AlertMonitor’s RMM capabilities to tighten security and improve response times.

1. Audit and Disable Unnecessary RDP Endpoints

Instead of manually RDPing into every server to check the status of the Remote Desktop Services, push a script across your Windows Server fleet to generate a report. This ensures you aren't leaving the doors open like in the Oldsmar incident.

Run this PowerShell script via AlertMonitor's script executor to identify servers with RDP enabled but potentially unauthorized:

PowerShell
# Check if RDP is enabled
$RDPStatus = (Get-WmiObject -class "Win32_TerminalServiceSetting" -Namespace root\cimv2\terminalservices).AllowTSConnections

if ($RDPStatus -eq 1) {
    Write-Output "WARNING: RDP is Enabled on $env:COMPUTERNAME"
    # Return additional details for the AlertMonitor timeline
    Get-NetTCPConnection -LocalPort 3389 -ErrorAction SilentlyContinue | Select-Object LocalAddress, State
} else {
    Write-Output "SECURE: RDP is Disabled on $env:COMPUTERNAME"
}

2. Automate Remediation for Common Failures

If a monitoring trigger detects a hung service, don't remote in to restart it. Configure the alert to automatically run a remediation script. If it requires human approval, a technician can execute it with one click from the mobile app.

This script safely restarts the Print Spooler (a common point of failure) and returns the new status to the AlertMonitor dashboard:

PowerShell
$ServiceName = "Spooler"
try {
    $Service = Get-Service -Name $ServiceName -ErrorAction Stop
    
    if ($Service.Status -ne 'Running') {
        Write-Output "Attempting to restart $ServiceName..."
        Restart-Service -Name $ServiceName -Force -ErrorAction Stop
        Start-Sleep -Seconds 5
        
        # Verify the service started
        $Service.Refresh()
        if ($Service.Status -eq 'Running') {
            Write-Output "SUCCESS: $ServiceName is now Running."
        } else {
            Write-Output "FAILURE: $ServiceName failed to start. Status is $($Service.Status)"
        }
    } else {
        Write-Output "INFO: $ServiceName was already running."
    }
}
catch {
    Write-Output "ERROR: $($_.Exception.Message)"
}

3. Centralize Your Remote Control

Consolidate your remote tools. If your team currently uses three different tools for remote access (one for servers, one for workstations, one for emergency access), migrate them into AlertMonitor. This ensures that:

  1. Permissions are consistent. (If someone is offboarded, they lose access to everything immediately).
  2. Sessions are recorded. (You have an audit trail for compliance).
  3. Context is preserved. (You are clicking "Remote" from the device that just threw an alert).

Conclusion

The attackers targeting the power grid and utilities are counting on disorganization and friction. They count on IT teams being too slow to respond because they are fighting with five different tools. By unifying your monitoring and remote management in AlertMonitor, you close the gap between "alert" and "action," ensuring that your access is as secure as it is fast.

Related Resources

AlertMonitor RMM & Remote Management AlertMonitor Platform Overview Book a Demo RMM & Remote Management Resources

rmmremote-managementremote-supportendpoint-managementalertmonitorwindows-servermsp-operationstool-sprawl

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action