The water treatment plant in Oldsmar, Florida, was recently targeted by a malicious hacker who tried to poison the water used by over 15,000 residents by remotely increasing the level of a chemical used to control acidity in groundwater.
Last week, the local police in Oldsmar announced that an operator at the water treatment plant noticed suspicious activity by a remote user who gained unauthorised access to the computer system controlling the chemical processes of the plant. The hacker briefly increased the amount of sodium hydroxide (Lye) in the water before the operator restored it to recommended levels.
“The hacker changed the sodium hydroxide from about one hundred parts per million to 11,100 parts per million,” said Bob Gualtieri, the sheriff of Pinellas County. Sodium hydroxide (lye) is used in water treatment plants to to raise the pH level of the water to reduce corrosion and also to reduce the lead content in water. If swallowed, it can cause damage to the mouth, throat and stomach and induce vomiting, nausea and diarrhoea.
The hacker initially accessed a computer system, which controlled water treatment operations at the plant, at 8 AM on Friday and came back again at 1:30 PM in the afternoon, this time to remotely control the level of Lye in the water. Fortunately, an operator saw the hacker move the cursor on the computer screen and immediately stopped the activity.
Luckily, the plant had systems in place to monitor the water supplied which ensured that the water containing high levels of Lye did not reach the main pipelines. “At no time was there a significant adverse effect on the water being treated. Importantly, the public was never in danger,” Gualtieri added.
The city officials held a press conference last Monday to warn the neighbouring municipalities about cyber attacks on industrial systems. Gualtieri said that the hacker used an unnamed remote software to gain access to the water treatment plant which is also used to troubleshoot IT problems for the employees.
The software also has a screen monitoring feature that made it difficult for the operator to identify that the system was being accessed without authorisation as he thought it was one of his fellow employees who was accessing the system remotely.
Gualtieri told the media that with the help of the FBI and the US Secret Service, they have started an investigation into the security incident but as of now, not much is known about where the attack was launched from or who was responsible for it.
Robert Cassidy, the Senior Director of Security Strategy at Exabeam, told TEISS that it’s incredibly fortunate that a diligent member of staff noted the anomalous activity and corrected it. That said, what we’ve seen exemplified here is the need to understand and baseline normal in terms of critical asset/system access is absolutely key.
“Regardless of whether systems in operational technology (OT) environments are air-gapped or not, if there’s a digital route to the system, then it’s at risk. We’ve got to ensure we’re monitoring OT systems far more diligently by capturing all viable log data in terms of access control, system settings and maintenance. Any abnormality – regardless of how small – should be investigated, triaged and managed accordingly. Relying on users alone for the protection of our CNI systems does not (and will not) scale.
“Working smarter with automation technologies in managing large volumes of data streams, analysing them for anomalies and reporting risk in real time, is the only way forward for CNI protection. This, in partnership with continued user education in being diligent and applying critical thinking analysis to system activity reports, is critical. We might not be so lucky next time,” he added.
Stuart Reed, UK Director of Orange Cyberdefense, said that hackers are continually probing key facilities worldwide for weaknesses, and there are still significant concerns about the readiness of CNI to weather increasingly sophisticated cyber-attacks, with many facilities believed to run on out-of-date and vulnerable IT systems. The incident in Florida will go down as yet another near miss, but it is clear that CNI will remain a key target for hackers – inaction can no longer be tolerated.
“In today’s extremely volatile cyber landscape and faced with a surging threat of nation state actors, the UK government has rightly placed the resilience of CNI at the heart of its National Cyber Security Strategy in 2021. Thwarting cyber-attacks against key utilities and services has never been more critical and the severe consequences of failing to do so are only exacerbated by the unprecedented events of the past year.
“Organisations responsible for the security of our CNI need to ensure that a layered approach to cybersecurity is in place, focusing on installing the best and most up-to-date software and technology possible, supplemented by investment in both people and process. Only then will we have the right combination of safeguards in place to ensure that our critical infrastructure, key services, and health and safety, is not solely reliant on the watchfulness of the man or woman on duty at the time of an attack,” he added.