Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Remote Hacker Caught Poisoning Florida City Water Supply

Oldsmar Florida Water Supply Hack Details

Oldsmar Florida Water Supply Hack Details

Hacker Remotely Increased Sodium Hydroxide Levels in City’s Water from 100 Parts Per Million to 11,100 Parts Per Million.

U.S. law enforcement agencies are investigating a remote compromise of a Florida city’s water plant, warning that the hackers tried to poison the water supply serving approximately 15,000 residents.

The hack was spotted on February 5th — and neutralized — in real time by staff at the plant that supplies water to Oldsmar, a small city close to Tampa, Florida.

Local Sheriff Bob Gualtieri said (video below) an unknown adversary hacked into the plant remotely and attempted to elevate levels of levels of sodium hydroxide by a factor of more than 100. 

Sodium hydroxide, also known as lye, controls the acidity in potable water but elevated levels maliciously added to water supply can cause physical harm to the public.

Details of the compromise are scarce but local officials made it clear the city’s water supply was never affected.

During an explanation on Monday, Sheriff Gualtieri said the hack was first spotted in real time earlier in the morning by a staffer who noticed the remote connection to the plant. The remote attacker reportedly used TeamViewer, a legitimate application used for remote access, to take control of the terminal.

Advertisement. Scroll to continue reading.

The Sheriff said the remote access itself wasn’t unusual but just after lunch on the same day Sheriff Gualtieri said the attacker returned and the plant operators watched as the hackers took control of the mouse and started operating the computer system.

The attacker spent about three to five minutes in the control software and jacked up the amount of lye from 100 parts per million to 11,100 parts per million.

Once the attacker left, the plant operators immediately reverted the change. “At no time was there a significant adverse effect on the water being treated. The public was never in danger,” he claimed.

Cybersecurity experts have long warned that hackers could cause serious damage to organizations by targeting exposed human-machine interfaces (HMIs), and the incident in Oldsmar is another reminder of how vulnerable such systems across the nation’s critical infrastructure can be. 

“This was not the first attack on water or utilities, and lucky there was a human in the loop to prevent disaster,” Ron Brash, Director of Cyber Security Insights at Verve Industrial, told SecurityWeek. “The warning bell should be sounded, but CISOs (or those in charge) are lucky because they are in a very defensible position. In fact, I believe this is a call for organization’s to double down on the cybersecurity basics, assess their asset & infrastructure, and validate controls on their ‘crown’ jewels.”

While this incident may be rare, Brash reminds there are countless other municipalities that are likely in a similar situation. “Remote access has great operational benefits, but it also a great risk (think high likelihood of being attacked).  In this case, its very likely that adequate controls preventing non-authorized users from gaining access were absent, or misconfigured. Regardless, this municipality was very lucky.”

In early 2020, the Israeli government issued an alert to organizations in the water sector following a series of cyberattacks aimed at water facilities, and advised water and energy firms to immediately change the passwords of internet-accessible control systems, reduce internet exposure, and ensure that all control system software is up to date. Just weeks later, a group of Iranian hackers posted a video showing how they managed to access an industrial control system at a water facility in Israel.

SecurityWeek will be update this article as more information becomes available.

Related: Iranian Hackers Access Unprotected ICS at Israeli Water Facility

Learn more about threats to industrial systems at SecurityWeek’s 2021 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

ICS/OT

Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.

ICS/OT

More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

ICS/OT

Siemens and Schneider Electric address nearly 100 vulnerabilities across several of their products with their February 2023 Patch Tuesday advisories.