A recent cyberattack on a Florida city’s water treatment plant attempted to pump up the amount of lye, which is poisonous in large doses, in the city’s water supply, officials said.
The cyberattack on the city of Oldsmar’s water treatment plant on Feb. 5 momentarily increased the amount of sodium hydroxide, or lye, added to the city’s water supply from 100 parts per million to 11,100 parts per million. An alert plant worker saw the hacker’s efforts happening live on a computer’s desktop and immediately changed the lye levels back to safe levels, Pinellas County Sheriff Bob Gualtieri said in a press conference on Feb. 8.
The hacker accessed the plant’s computer for three to five minutes, Gualtieri said.
Lye, in small doses, is used for controlling water acidity and to remove metals from drinking water. In large amounts, it’s poisonous.
“This is dangerous stuff,” Gualtieri said during the press conference. “This was somebody that is trying … to do something bad.”
City officials stressed that it would have taken 24 to 36 hours for the spiked lye levels to make their way to the city’s drinking water supply, and by that time, sensors would have caught the problem. Oldsmar, with about 14,000 residents, is northeast of Tampa.
Local officials have called in the FBI and the U.S. Secret Service to help investigate the attack. Gualtieri called on other water treatment facilities to review their cyberdefenses.
It’s unclear what the hacker was trying to accomplish beyond making people sick, but threatening public health or safety may be the ultimate goal, said Carl Herberger, vice president for security services at CyberSheath, a cybersecurity vendor.
“From a cyberattack perspective, this year could be a watershed year for the critical infrastructure industry,” he told the Washington Examiner. This breach “has jarring implications and should be a loud warning for other municipalities to put proper security controls in place to ensure critical systems are secure.”
Herberger added that this hack could have been a malicious attack or a trial run for an attacker to breach the same system or another one. “While this incident didn’t lead to actual water poisoning, it was a relatively unsophisticated attack and could be replicated by malicious actors,” he said. “The next small city to face something like this may not catch it in time.”
Security experts noted that this isn’t the first attack on a U.S. target with public safety implications. In 2016, for example, U.S. officials indicted seven Iranian suspects of attacking the supervisory control and data acquisition systems controlling the Bowman Dam, a small flood-control facility in Rye, New York.
While some security experts suggested the hacker could be eyeing a financial gain, such as a ransom, down the road, others said this specific attack didn’t seem to be motivated by money.
The motivation could be to “make people sick based on the attacked being perpetrated by a domestic terrorist or a disgruntled customer or employee,” said Morey Haber, CTO and CISO at cybersecurity vendor BeyondTrust. “It could be ‘just to prove it could be done’ by a script kiddy or someone hacking for fun.”
The attack doesn’t appear to be the work of a nation-state-sponsored hacking group or a foreign terrorist organization, Haber told the Washington Examiner. “The repercussions of a targeted foreign attack could easily translate into a physical act of war if a nation was determined to be the source,” he said. “This is a risk most countries are unwilling to take at this time.”
The COVID-19 pandemic puts additional stress on utilities and other organizations that have had to adopt remote access capabilities sooner than they had planned, said Kevin Dunne, president at Greenlight, a provider of integrated risk management solutions.
“Many organizations have previously felt protected by traditional perimeter security such as firewalls and VPNs,” he said. “However, the new shift to work-from-anywhere has reduced the efficacy of many of these methods and even rendered some of them useless.”
Dunne recommended that organizations using remote access tools pump up their identity-monitoring and access control capabilities.
