- Hackers attempted to contaminate the water of a Florida town and make it caustic.
- An employee working on the facility noticed the action and reversed it before it was too late.
- Cybersecurity in American public utilities is poor, and changing that is well overdue.
Someone has managed to break into a Florida town water treatment facility ICS (Industrial Control System) platform and changed the chemical levels of substances, rendering the water unsafe to consume. Fortunately, the people responsible for the facility's operation realized the change and stopped the contaminated water from reaching the supply network.
The targeted water treatment unit serves the town of Oldsmar in Pinellas County and has a population of about 15,000 people. The following video is from the associated press conference that was held to assure the public that their health hasn’t been compromised.
The hackers used TeamViewer to take control of an employee computer located at the facility. Thankfully, they did so during working hours, so the employee was present and happened to be monitoring the computer screen. As such, we can say that the matter of detecting the intrusion was pure luck.
The hackers increased the amount of sodium hydroxide (caustic soda), which is used in small quantities to control water acidity. At higher concentrations, this substance can cause tissue damage through direct corrosive action, severe necrosis of the esophagus, and even death. The people who would have a shower with the said water could suffer dermatitis, loss of hair, and caustic skin irritation.
In May 2020, we covered the news about a report published by a team of researchers in the United States, which sent a warning to all public entities and governments in the country that their ICS are easily accessible by hackers. Characteristically, the report stated that the fact that nothing bad has happened yet is a matter of luck, as well as the potential existence of ethical reservations that foreign hackers may have concerning harming innocent civilians.
It is clear that these systems need to be protected properly, apply NIST cybersecurity standards, and remove liabilities like TeamViewer tools meant to help technicians provide support remotely. This is not a proper way to do stuff in 2021, and the Oldsmar town incident should serve as the tinder that lights the fire of change across the country.
Hitesh Sheth, CEO at Vectra, a cyber-threat hunting firm, shared the following comment with us:
Public utilities, including power and water systems, have been prime cyberattack targets for years. There’s a whole Russian cyber team, “Energetic Bear,” focused on hacking American energy infrastructure. In the Oldsmar case, it’s premature to assign motive or place blame. However, we’ve seen enough breaches of the US power grid, water systems, and even nuclear plants to conclude this: protecting these critical facilities, and upgrading their cyber defenses, should be a far higher priority.
Biden has appointed experts in the right positions to up the nation's cybersecurity levels and has also approved a hefty budget for the purpose. Still, the endeavor of taking care of everything will surely be challenging. Public utilities like water treatment and supply facilities should be prioritized nonetheless.