Special Report: Hacker Intrusion of Florida Treatment Facility Attempted to Raise Levels of Caustic Lye in Water Supply
Little is known about the intrusion aside from the hacker's unauthorized entry via TeamViewer, Sheriff brands the attack "sophisticated" although some infosec pros disagree
A press conference hosted by Pinellas County, Florida, Sheriff Bob Gualtieri, which included Mayor Eric Seidel and City Manager Al Braithwaite of the 15,000-person City of Oldsmar, laid out details of an intrusion of the city’s water treatment system during which a hacker tried to change the city’s water supply levels of sodium hydroxide from 100 parts per million to 11,100 parts per million. Sodium hydroxide, also known as lye or caustic soda, the main ingredient in drain cleaners, regulates the PH level of water in low concentrations. In high concentrations, it’s deadly.
The hacker used remote access software called TeamViewer to gain entry to the system and began remotely operating a mouse on a targeted computer, an activity noticed by an IT staff member watching the screen, who initially thought it was his supervisor working remotely. Later, the employee spotted the changes to the sodium hydroxide levels and returned them to normal.
Chris Wysopal @WeldPondLuckily this happened when the operator was able to watch it happen. If they hadn't there are alarms that would have noticed the pH level too high and changes could have been made before the unsafe water made it to the water supply.
Officials say even if the altered levels hadn’t been noticed, alarms and redundancy in the system would have barred contamination of the water supply and ensuing mass casualty.
Beyond these bare-bones details, little is known about the attack. The attacker could be a nation-state or a script kiddie. “We don’t right now whether the breach originated in the United States or outside the country,” Gualtieri said in his press conference. Many cybersecurity experts downplayed the idea that the attack was a sophisticated one, particularly given the ease of entry via TeamViewer.
But, it’s not easy to navigate around an industrial control environment, as a column I wrote last year in the wake of eerily similar attacks on Israel’s water supply, outlines. “It’s not just an accident when you are taking [sodium chloride] from 100 parts per million to 11,100 parts per million,” Gualtieri said during the conference. “In order to get into the system, somebody had to use pretty sophisticated ways of doing it.”
What is clear is that underfunded local water systems — there are 70,000 total in the U.S. — tend to lack cybersecurity expertise and generally need more tools, guidance, and money to ensure better security.
Moreover, water systems would be well equipped if they follow certain security fundamentals laid out by their expert organizations..
Gualtieri said that his office is asking all governmental entities in the Tampa Bay area with critical infrastructure components to actively review their computer security protocols and make any necessary updates consistent with the most up-to-date practices. Meanwhile, the FBI and the Secret Service are involved in investigating the incident.
Related: Sky News, Raw Story, Devdiscourse News Desk, The Verge, Daily Mail, Wired, Reddit - cybersecurity, Digital Trends, The Hill: Cybersecurity, Engadget, Fast Company, Fast Company, Ubergizmo, iTnews - Security, The Independent, SecurityWeek, NBC News, Forbes, My Sun Coast, ABC.net.au, New York Times, Bleeping Computer, CBSNews.com, Newsweek, The Register, iTnews - Security, Digital Journal, Channel News Asia, Dark Reading, ZDNet, TribLIVE Today's Stories, The Guardian, AP Top News, The Guardian, Reuters: World News, DataBreaches.net, Raw Story, New on MIT Technology Review, Washington Examiner, Motherboard, Mediaite, Ars Technica, RT USA, Security Affairs, Business Insider, SC Magazine, Telegraph, CNN.com, Gizmodo, BBC News, Graham Cluley, New York Post, Mashable, SiliconANGLE, The Sun, News.com.au, Mercury News, Cyberscoop, South China Morning Post, Slashdot, Futurism, Cyberscoop, Slashdot