A drinking water treatment plant serving the city of Oldsmar, in Florida, was attacked by hackers who tried to poison the water supply, reports Sky News.
According to local Sheriff Bob Gualtieri, a plant operator noticed someone remotely accessed the plant’s computer system at about 8am last Friday; he initially dismissed it because supervisors can use remote access to get into the system. However, later that afternoon, he noticed another intrusion into the system, which changed the amount of sodium hydroxide from 100 to 11,100 parts per million, something he immediately corrected.
City officials have said Oldsmar residents, a town of some 15,000 people in the Tampa area, were not exposed to any risks. Sodium hydroxide, commonly known as lye, is a corrosive agent used to treat acidity in water systems, which in high concentrations may cause skin irritation and burns.
Remote access to the system has been turned off since. Officials note there are alarms in place to prevent dangerous levels of chemicals from entering the water systems. "The protocols include security measures and multiple redundancies in the distribution of potable water to ensure its safety to our customers," said city Mayor Eric Seidel. Meanwhile, utilities and municipal services in the area have been asked to check their computer systems, and the FBI and Secret Service have been called to help find out who is behind the attack.
Experts in cybersecurity have long warned about this type of incident, a cyberattack on a critical infrastructure, this time a drinking water treatment facility, as operators of infrastructure – water plants, dams, oil and gas pipelines – have undergone a digital transformation that allows controlling the facilities remotely. The problem is hackers can try to use the same remote access with harmful intentions.
Cyber-attacks on critical infrastructure have been occurring since at least 2007, according to The New York Times, when the United States and Israel attacked a nuclear facility in Iran. Attacks by rival nations have since targeted energy companies, electrical utilities, dams and water supplies. Large utility companies often have complex security systems, but operators of small critical infrastructure, like the water treatment plant in Oldsmar, often do not, which makes them easy targets. Perpetrators do not need to be rival nation states, they could be bored teenagers, disgruntled employees, etc.
Alan Grau, VP of IoT at cyber security company Sectigo, commented: “The explosion of Internet of Things (IoT) uses cases offers endless efficiencies, but also increased risk, for municipalities, utilities, and critical infrastructure providers. The recent remote hack of a water quality system in Florida is another case in point for cities and towns, as well as the manufacturers of the devices used in street lights, utilities, and even water systems, of the need to ensure secure communications using certificate-based authentication and other advanced cybersecurity technologies.”