Urban warning: Hacker tried to poison drinking water in Florida

A hacker managed to access the computer system of a Florida water treatment plant and tried to taint Oldsmar’s water supply with lye. Cybersecurity experts have warned that municipal systems are easy targets because of underfunded computer infrastructures.

|
Pinellas County Sheriff's Office/AP
Pinellas County Sheriff Bob Gualtieri (right) speaks during a news conference as Oldsmar Mayor Eric Seidel listens, Feb. 8, 2021, in Oldsmar, Florida. A supervisor at the water treatment plant was able to intervene and reverse a hacking attempt to poison the water.

A hacker gained unauthorized entry to the system controlling the water treatment plant of a Florida city of 15,000 and tried to taint the water supply with a caustic chemical, exposing a danger cybersecurity experts say has grown as systems become both more computerized and accessible via the internet.

The hacker who breached the system at the city of Oldsmar’s water treatment plant on Friday using a remote access program shared by plant workers briefly increased the amount of sodium hydroxide by a factor of one hundred (from 100 parts per million to 11,100 parts per million), Pinellas County Sheriff Bob Gualtieri said during a news conference Monday.

Sodium hydroxide, also called lye, is used to treat water acidity but the compound is also found in cleaning supplies such as soaps and drain cleaners. It can cause irritation, burns, and other complications in larger quantities.

Fortunately, a supervisor saw the chemical being tampered with – as a mouse controlled by the intruder moved across the screen changing settings – and was able to intervene and immediately reverse it, Mr. Gualtieri said. Oldsmar is about 15 miles northwest of Tampa.

Mr. Gualtieri said the public was never in danger.

But he did say the intruder took “the sodium hydroxide up to dangerous levels.”

Oldsmar officials have since disabled the remote-access system, and say other safeguards were in place to prevent the increased chemical from getting into the water. Officials warned other city leaders in the region – which was hosting the Super Bowl – about the incident and suggested they check their systems.

Experts say municipal water and other systems have the potential to be easy targets for hackers because local governments’ computer infrastructure tends to be underfunded.

Robert M. Lee, CEO of Dragos Security, and a specialist in industrial control system vulnerabilities, said remote access to industrial control systems such as those running water treatment plants has become increasingly common.

“As industries become more digitally connected we will continue to see more states and criminals target these sites for the impact they have on society,” Mr. Lee said.

The leading cybersecurity firm FireEye attributed an uptick in hacking attempts it has seen in the last year mostly to novices seeking to learn about remotely accessible industrial systems. Many victims appear to have been selected arbitrarily and no serious damage was caused in any of the cases – in part because of safety mechanisms and professional monitoring, FireEye analyst Daniel Kapellmann Zafra said in a statement.

“While the [Oldsmar] incident does not appear to be particularly complex, it highlights the need to strengthen the cybersecurity capabilities across the water and wastewater industry,” he said.

What concerns experts most is the potential for state-backed hackers intent on doing serious harm targeting water supplies, power grids, and other vital services.

In May, Israel’s cyber chief said the country had thwarted a major cyber attack a month earlier against its water systems, an assault widely attributed to its archenemy Iran. Had Israel not detected the attack in real time, he said, chlorine or other chemicals could have entered the water, leading to a “disastrous” outcome.

Tarah Wheeler, a Harvard Cybersecurity Fellow, said communities should take every precaution possible when using remote access technology on something as critical as a water supply.

“The systems administrators in charge of major civilian infrastructure like a water treatment facility should be securing that plant like they’re securing the water in their own kitchens,” Ms. Wheeler told the Associated Press via email. “Sometimes when people set up local networks, they don’t understand the danger of an improperly configured and secured series of internet-connected devices.”

A plant worker first noticed the unusual activity at around 8 a.m. Friday when someone briefly accessed the system but thought little of it because co-workers regularly accessed the system remotely, Mr. Gualtieri told reporters. But at about 1:30 p.m., someone accessed it again, took control of the mouse, directed it to the software that controls water treatment, and increased the amount of sodium hydroxide.

The sheriff said the intruder was active for three to five minutes. When they exited, the plant operator immediately restored the proper chemical mix, he said.

Other safeguards in place – including manual monitoring – likely would have caught the change in the 24 to 36 hours it took before it reached the water supply, the sheriff said.

Investigators said it wasn’t immediately clear where the attack came from – whether the hacker was domestic or foreign. The FBI, along with the Secret Service and the Pinellas County Sheriff’s Office are investigating the case.

Russian state-backed hackers have in recent years penetrated some United States industrial control systems, including the power grid and manufacturing plants, while Iranian hackers were caught seizing control of a suburban New York dam in 2013. No damages were inflicted in those cases but officials say they believe the foreign adversaries have planted software boobytraps that could be activated in an armed conflict.

This story was reported by The Associated Press. Bajak reported from Boston.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Urban warning: Hacker tried to poison drinking water in Florida
Read this article in
https://www.csmonitor.com/USA/2021/0209/Urban-warning-Hacker-tried-to-poison-drinking-water-in-Florida
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe