Hackers attempt to poison Florida water supply

Aerial shot of a water treatment facility

Cyber criminals tried - and failed - to poison the water supply in a Floridian city by remotely infiltrating a water treatment facility and ramping up the Sodium Hydroxide (NaOH) levels.

The computer systems of a water treatment facility, located in the city of Oldsmar, Florida, were remotely breached twice on 5 February, according to a Floridian county sheriff, Bob Gualtieri.

On the second intrusion, which lasted three to five minutes, the hackers tried to ramp up the NaOH levels but were foiled as an operator was watching the attack in real-time.

It’s been widely reported that the cyber criminals infiltrated the plant through TeamViewer, which was installed on one of the operator machines. This legitimate software allows easy access to machines remotely from anywhere - and is often used for remote IT troubleshooting and technical assistance.

The incident took place over the course of the day, with hackers first infiltrating the Oldsmar water treatment plant at 8am. This was brief a brief intrusion, however, and didn’t alert any suspicion due to the fact that remote supervisors routinely access the system in such a way to monitor operations.

A plant operator witnessed a second intrusion at 1:30pm later that day, watching the attacker opening various functions in the system that control the NaOH levels in the water. They manipulated the controls to boost these levels from roughly 100 parts-per-million to the potentially lethal levels of 11,100 parts-per-million.

“What it is, is that somebody hacked into the system, not just once but twice, and controlled the system, took control of the mouse, moved it around, opened the programme and changed the levels from 100 to 11,100 parts-per-million with a caustic substance,” the sheriff Bob Gualtieri said at a press conference.

“In order to get into the system, somebody had to use some pretty sophisticated ways of doing it.”

Once the hackers exited the system, the plant operator immediately reduced the levels of NaOH. Because this was instant, there was no change to the water supply that serves roughly 15,000 residents.

Authorities in Oldsmar, located in Pinellas County, Florida, are investigating the security breach in conjunction with the FBI and other law enforcement agencies. Investigators don’t currently know whether the attack originated from inside the US or outside, nor what their motivations were.

Such an attack with potentially lethal consequences has been theorised over and war-gamed by IT and security teams across the US and the UK, but concrete examples are hard to come by. Researchers had previously warned in 2018 that smart city infrastructure contains many flaws that could allow hackers to cause havoc, turning them into a new breed of ‘supervillian’.

Daniel Kapellmann Zafra, manager of analysis at Mandiant Threat Intelligence told IT Pro his company has detected an increase in cyber incidents by novice hackers seeking to access and learn about industry systems in recent months.

“Many of the victims appear to have been selected arbitrarily, such as small critical infrastructure asset owners and operators who serve small populations,” he said. “Through remote interaction with these systems, actors have engaged in limited-impact operations but none of these cases has resulted in damage to people or infrastructure.”

UK director at Orange Cyberdefense, Stuart Reed, meanwhile, said this is exactly the kind of assault on national infrastructure that cyber security experts have been fearing for years, reflecting on the potential impact such an incident might have in the UK.

“It is frightening to think what might have happened if it was not for the vigilance of one of the plant's operators,” he said. “As the government and NHS wrestle with the pandemic, it's hard to imagine how the country could cope at this time if there was any major disruption to the UK's supply of electricity or water.

“Nonetheless, key facilities worldwide are constantly being probed for weaknesses, and there are still significant concerns about the readiness of CNI to weather increasingly sophisticated cyber-attacks, with many facilities believed to run on out-of-date and vulnerable IT systems.

“The incident in Florida will go down as yet another near miss, but it is clear that CNI will remain a key target for hackers - inaction can no longer be tolerated.”

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.