Florida water system cyberattack – the dangers of remote access

The attack plays into the rising use of remote access options among critical organizations amid the pandemic.  
9 February 2021
  • 15,000 Florida residents were at risk of consuming poisoned water after a cyberattacker gained control of systems at a water treatment plant
  • The attacker began increasing the amount of sodium hydroxide in the water by a factor of 100
  • Compromising remote access software, the incident highlights the current vulnerabilities of ‘connected’ critical infrastructure and operational technology

A cyberattack at a water facility in Florida led to an attempt to poison the water supply to some 15,000 residents, in another instance that highlights the security inadequacies of today’s increasingly connected critical infrastructure.

A hack on the Oldsmar city water treatment system meant an attacker was able to briefly increase the amount of sodium hydroxide or lye going into the water by a factor of 100 before an on-site worker spotted it and reversed the action.

Used in small amounts, the chemical controls the acidity of water, but it’s also a corrosive compound commonly found in household cleaning supplies. Contact with sodium hydroxide can kill skin and cause hair loss, according to the National Center for Biotechnology Information, but ingestion can be fatal.

The attack took place via a compromised remote access system, which was in place to allow authorized individuals access for troubleshooting.

A plant operator reportedly first noticed an attempt to access the system in the morning but had thought it was their supervisor. That was followed by another attempt later in the day, after which the attacker accessed the treatment software and increased the sodium hydroxide levels.

As reported by the Tampa Bay Times, “the operator watched as someone took control of the mouse, directed it to the software the controls the water treatment, worked inside it for three to five minutes and increased the amount of sodium hydroxide.”

The operator immediately returned levels to normal, and the remote access system has since been disabled.

It’s also worth noting that there were other monitoring systems in place that would have detected the imbalance, and the water would have taken more than a day to enter into the public water supply. Nonetheless, the attack – while unsophisticated – serves as a rude reminder of the ease with which attackers can access critical systems with poor security protocols. With the attacker as yet unidentified, Senator Marco Rubio tweeted that the attack “should be treated as a matter of national security.”

While the likelihood of real damage was minimal, however, Tripwire VP Tim Erlin said we should be particularly concerned about how the attacker was able to authenticate into the remote access software.

“That entry point should be very well protected, given that it provides access to such obviously sensitive capabilities. Protecting remote access into industrial systems where these types of changes can be made should be a high priority for any industrial environment.”

The attack plays into the rising use of remote access options among organizations – including those part of critical infrastructure – amid the pandemic.

Remote access and operation technology have enabled industrial facilities to reduce the number of individuals on-site, reducing the risk of in-person transmission. And while the demands of the pandemic have highlighted the benefits of this approach, it is a trend in which control of operational technology is heading, due to advances in connectivity, and sensor and camera technology.

These technologies provide real benefits in the efficiency and cost of running facilities and processes, but attacks such as that of the above highlight that there is a long way to go in establishing the necessarily airtight cybersecurity technology and processes, they require. Some commentators have suggested there needs to be regulation governing the security of remote access software and teleoperation technology.

Hackers are increasingly proving they are prepared to consider human lives as collateral to their disruption of business and society.

As far back as 2015, a hack of Ukraine’s power grid caused a blackout affecting 200,000 people, while Kaspersky Labs estimates that over 40 percent of ICS computers on its watch had been attacked by malicious malware at least once in the first half of 2018.

Meanwhile, a recent attack on a hospital in Germany recently led to the death of a patient, when doctors attempted to transfer her to a different facility as a direct result of the disruption to IT systems.