On February 5th, a cyber attacker remotely infiltrated the IT system that manages a water treatment facility in Oldsmar, Florida. After gaining an initial foothold in the system, the malicious threat actor successfully altered settings that adjusted the levels of sodium hydroxide (NaOH) in the water to a dangerous concentration.
The amounts of lye (sodium hydroxide) were acutely increased - from 100 to 11,100 parts per million. Sodium hydroxide is used to control the acidity of water, and consumption of too much can be extremely toxic. In fact, it is the core ingredient used in drain-cleaner solutions.
The compromised system was TeamViewer, which permits the monitoring and troubleshooting of issues remotely. Fortunately, the authorized operator at the plant identified and the external threat in real-time, enabling instant remediation of the cyber attack. The levels were amended instantly, meaning no harm resulted.
A serious wake-up call
There is no doubt that this attack has been a serious wake-up call for those who operate remote management systems and security leaders. If the attack had gone unnoticed, as many do, the results could have been detrimental on a significant scale - approximately 15,000 residents in the surrounding area would have been affected.
What makes this particular attack so disturbing is its sinister objective - to potentially poison innocent people on a large scope. The incidence only serves to underline the criticality of robust cyber security in remote systems management. Prioritizing the fortification of critical infrastructure is vital, and additional security means must be adopted. This is not the first water-related cyber attack either. Last year, a handful of areas in Israel were targeted in similar attacks on water supplies - although unsuccessful.
Cyber threats are clearly taking new forms. With a heavier reliance on IoT and attacks on critical national infrastructure, we must brace for the future of digital.
An accident waiting to happen
It appears that underfunding is a key issue here. In this particular case, the attack itself wasn’t highly sophisticated. Management had just been using out-of-date Windows 7 computers that were “directly connected to the internet without any type of firewall protection,” along with shared passwords. Being realistic is vital - municipal water and other systems are easy targets, and remote management is inevitably a particularly vulnerable area, so access needs more stringent requirements.
In this new age of cyber, systems are increasingly weaponized and so security practices must be adapted to cope with emerging threats and trends.