Hacker Remotely Increased Sodium Hydroxide Levels in City’s Water from 100 Parts Per Million to 11,100 Parts Per Million.
U.S. law enforcement agencies are investigating a remote compromise of a Florida city’s water plant, warning that the hackers tried to poison the water supply serving approximately 15,000 residents.
The hack was spotted on February 5th — and neutralized — in real time by staff at the plant that supplies water to Oldsmar, a small city close to Tampa, Florida.
Local Sheriff Bob Gualtieri said (video below) an unknown adversary hacked into the plant remotely and attempted to elevate levels of levels of sodium hydroxide by a factor of more than 100.
Sodium hydroxide, also known as lye, controls the acidity in potable water but elevated levels maliciously added to water supply can cause physical harm to the public.
Details of the compromise are scarce but local officials made it clear the city’s water supply was never affected.
During an explanation on Monday, Sheriff Gualtieri said the hack was first spotted in real time earlier in the morning by a staffer who noticed the remote connection to the plant. The remote attacker reportedly used TeamViewer, a legitimate application used for remote access, to take control of the terminal.
The Sheriff said the remote access itself wasn’t unusual but just after lunch on the same day Sheriff Gualtieri said the attacker returned and the plant operators watched as the hackers took control of the mouse and started operating the computer system.
The attacker spent about three to five minutes in the control software and jacked up the amount of lye from 100 parts per million to 11,100 parts per million.
Once the attacker left, the plant operators immediately reverted the change. “At no time was there a significant adverse effect on the water being treated. The public was never in danger,” he claimed.
Cybersecurity experts have long warned that hackers could cause serious damage to organizations by targeting exposed human-machine interfaces (HMIs), and the incident in Oldsmar is another reminder of how vulnerable such systems across the nation’s critical infrastructure can be.
“This was not the first attack on water or utilities, and lucky there was a human in the loop to prevent disaster,” Ron Brash, Director of Cyber Security Insights at Verve Industrial, told SecurityWeek. “The warning bell should be sounded, but CISOs (or those in charge) are lucky because they are in a very defensible position. In fact, I believe this is a call for organization’s to double down on the cybersecurity basics, assess their asset & infrastructure, and validate controls on their ‘crown’ jewels.”
While this incident may be rare, Brash reminds there are countless other municipalities that are likely in a similar situation. “Remote access has great operational benefits, but it also a great risk (think high likelihood of being attacked). In this case, its very likely that adequate controls preventing non-authorized users from gaining access were absent, or misconfigured. Regardless, this municipality was very lucky.”
In early 2020, the Israeli government issued an alert to organizations in the water sector following a series of cyberattacks aimed at water facilities, and advised water and energy firms to immediately change the passwords of internet-accessible control systems, reduce internet exposure, and ensure that all control system software is up to date. Just weeks later, a group of Iranian hackers posted a video showing how they managed to access an industrial control system at a water facility in Israel.
SecurityWeek will be update this article as more information becomes available.
Related: Iranian Hackers Access Unprotected ICS at Israeli Water Facility
Learn more about threats to industrial systems at SecurityWeek’s 2021 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series