Water Treatment Hack in Florida Highlights New Risks
An attempted water treatment hack at the Oldsmar treatment facility near Tampa, Florida could have been disastrous if not for the alertness of one of the plant’s employees. When someone accessed the plant’s computer system remotely in an attempt to alter the plant’s mix of water treatment chemicals, the plant operator noticed what was happening and promptly put an end to it. That is a lucky break, but the situation still illuminates how easy it might be for an attacker to access a utility computer system for malicious purposes.
What Did the Water Treatment Hack Involve?
The hacker tried to increase the amount of sodium hydroxide, also known as lye, in the water to “dangerous levels” according to Pinellas County Sheriff Bob Gualtieri. Specifically, the hacker tried to increase the level of this chemical, which is the same chemical that serves as the main ingredient in liquid drain cleaners, from 100 parts-per-million to over 11,000 parts-per-million. The FBI is still investigating the situation as of the time of this writing.
It appears as though a reputable desktop sharing software called TeamViewer provided the backdoor access to the company’s network. Multiple recent cyber-attacks, including the Oldsmar water treatment hack, relied on this software as the mechanism to to gain the ability to remotely control computer systems.
A related problem is that the company uses the 32-bit version of Windows 7 to run various software programs connected to SCADA, a practice that is considered outdated and vulnerable to hacking. Even worse, all the computers shared the same password for remote access, with no firewall protection. Not exactly a best-in-class water utility cybersecurity practice!
In other words, Oldsmar was an easy target.
A likely scenario is that a Trojan horse type of virus made its way into the software, which was then exploited by the hackers to gain remote access to, and control of, the company’s SCADA system.
The plant employee noticed the mouse on his computer screen moving on its own and clicking various software functions to alter the chemical mix of the water treatment process. In total, the hacker had control for about 5 minutes – plenty of time to create a significant amount of havoc.
Hopefully, Oldsmar and all utilities – water, gas and electric – will learn from this latest water treatment hack. What could have been a dangerous situation was averted this time, but we may not be so lucky next time.