Unidentified cyber attackers were able to get access to a panel that controls the water treatment plant at the city of Oldsmar near Tampa, Florida. This modification in the setting would have drastically increased the amount of sodium hydroxide in the water supply, officials from Pinellas County in Florida announced on Monday.
“Water systems, like other public utility systems, are part of the nation’s critical infrastructure and can be vulnerable targets when someone desires to adversely affect public safety,” said Pinellas County Sheriff Bob Gualtieri in a press conference on Monday. He was joined by Mayor Eric Seidel and City Manager Al Braithwaite.
The intrusion was detected on Friday by a plant operator, who noticed that someone had remotely accessed the computer system he was monitoring, which controls the chemicals and other operations of the water treatment plant, Gualtieri said. The software was set up to allow remote access to certain authorized users for troubleshooting problems from other locations.
The staffer did not at first think much of it. But later in the day, another intrusion was detected, this time with the hacker taking control of the mouse and operating the computer system remotely, and opening various functions on the screen for about three to five minutes, according to Gualtieri.
One of the functions opened was one that controlled the amount of sodium hydroxide in the water. The hacker increased the sodium hydroxide levels in the water from about 100 parts-per-million (ppm) to about 11,100 ppm, increasing it to extremely dangerous levels in the water systems, Gualtieri said. Sodium hydroxide, also known as lye, is the main ingredient in liquid drain cleaners, apart from being used to control water acidity and remove metals from drinking water in the water treatment plant.
After increasing the sodium hydroxide levels the intruder exited the system. The plant operator immediately reversed the change to the appropriate amount of 100 parts per million. The public was never put in danger, as the lye level was immediately reversed, Gualtieri said.
“I will be asking the FBI to provide all assistance necessary in investigating an attempt to poison the water supply of a Florida city,” wrote Marco Rubio, U.S. senator for Florida, in a Twitter message on Monday. “This should be treated as a matter of national security.”
Had the operator not observed the attacker actively manipulating the screen, it is possible that several other mechanisms in the water treatment plant control and monitoring system would have alerted plant staff to the condition, wrote Ben Miller, an executive at cybersecurity company Dragos in a blog post on Monday. However, it is also entirely possible that this action could have resulted in people getting sick or potentially even dying, he added.
It has been publicly acknowledged that an operator machine had a remote access software package – TeamViewer – installed and accessible to the Internet, according to Miller. This led to manipulation of control set points for the dosing rate of sodium hydroxide into the water.
TeamViewer is a legitimate software package that is directly installed on a Windows host that allows for easy connectivity from anywhere. “Its ease of use has allowed it to increasingly be used in industrial environments and, while legitimate software, may be unauthorized or rogue software,” Miller added.
“Water and wastewater is one of the most at-risk critical infrastructure sectors today,” said Grant Geyer, chief product officer at industrial cybersecurity company, Claroty. Industrial control system (ICS) vulnerability disclosures impacting the sector have increased significantly year-over-year during the second half (2H) of 2020 up by 54 percent from the second half of 2019 and 63 percent from second half of 2018 in water and wastewater.
On account of long depreciation period of equipment in critical infrastructure environments, technology obsolescence and security vulnerabilities are a common occurrence, Geyer added. Additionally, many water utilities are small entities and are under-resourced, making the challenge of developing a robust security program that much more challenging.