Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Remote Hacker Caught Poisoning Florida City Water Supply

Oldsmar Florida Water Supply Hack Details

Oldsmar Florida Water Supply Hack Details

Hacker Remotely Increased Sodium Hydroxide Levels in City’s Water from 100 Parts Per Million to 11,100 Parts Per Million.

U.S. law enforcement agencies are investigating a remote compromise of a Florida city’s water plant, warning that the hackers tried to poison the water supply serving approximately 15,000 residents.

The hack was spotted on February 5th — and neutralized — in real time by staff at the plant that supplies water to Oldsmar, a small city close to Tampa, Florida.

Local Sheriff Bob Gualtieri said (video below) an unknown adversary hacked into the plant remotely and attempted to elevate levels of levels of sodium hydroxide by a factor of more than 100. 

Sodium hydroxide, also known as lye, controls the acidity in potable water but elevated levels maliciously added to water supply can cause physical harm to the public.

Details of the compromise are scarce but local officials made it clear the city’s water supply was never affected.

During an explanation on Monday, Sheriff Gualtieri said the hack was first spotted in real time earlier in the morning by a staffer who noticed the remote connection to the plant. The remote attacker reportedly used TeamViewer, a legitimate application used for remote access, to take control of the terminal.

The Sheriff said the remote access itself wasn’t unusual but just after lunch on the same day Sheriff Gualtieri said the attacker returned and the plant operators watched as the hackers took control of the mouse and started operating the computer system.

The attacker spent about three to five minutes in the control software and jacked up the amount of lye from 100 parts per million to 11,100 parts per million.

Once the attacker left, the plant operators immediately reverted the change. “At no time was there a significant adverse effect on the water being treated. The public was never in danger,” he claimed.

Cybersecurity experts have long warned that hackers could cause serious damage to organizations by targeting exposed human-machine interfaces (HMIs), and the incident in Oldsmar is another reminder of how vulnerable such systems across the nation’s critical infrastructure can be. 

“This was not the first attack on water or utilities, and lucky there was a human in the loop to prevent disaster,” Ron Brash, Director of Cyber Security Insights at Verve Industrial, told SecurityWeek. “The warning bell should be sounded, but CISOs (or those in charge) are lucky because they are in a very defensible position. In fact, I believe this is a call for organization’s to double down on the cybersecurity basics, assess their asset & infrastructure, and validate controls on their ‘crown’ jewels.”

While this incident may be rare, Brash reminds there are countless other municipalities that are likely in a similar situation. “Remote access has great operational benefits, but it also a great risk (think high likelihood of being attacked).  In this case, its very likely that adequate controls preventing non-authorized users from gaining access were absent, or misconfigured. Regardless, this municipality was very lucky.”

In early 2020, the Israeli government issued an alert to organizations in the water sector following a series of cyberattacks aimed at water facilities, and advised water and energy firms to immediately change the passwords of internet-accessible control systems, reduce internet exposure, and ensure that all control system software is up to date. Just weeks later, a group of Iranian hackers posted a video showing how they managed to access an industrial control system at a water facility in Israel.

SecurityWeek will be update this article as more information becomes available.

Related: Iranian Hackers Access Unprotected ICS at Israeli Water Facility

Learn more about threats to industrial systems at SecurityWeek’s 2021 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

ICS/OT

Serious vulnerabilities found in Econolite EOS traffic controller software can be exploited to control traffic lights, but the flaws remain unpatched.

ICS/OT

Vulnerabilities in GE’s Proficy Historian product could be exploited for espionage and to cause damage and disruption in industrial environments.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

ICS/OT

A hacktivist group has made bold claims regarding an attack on an ICS device, but industry professionals have questioned their claims.

ICS/OT

Vulnerabilities in industrial routers made by InHand Networks could allow hackers to bypass security systems and gain access to OT networks.