The cyber-risks associated with connected operational technology (OT) systems were laid bare on Monday after an unknown online assailant tried to remotely poison the water supply of a Florida city.
The attacker accessed the water treatment system for Oldsmar city in Pinellas County and tried to increase the amount of sodium hydroxide (lye) in the water almost 100-fold, officials said yesterday.
Also known as caustic soda, sodium hydroxide could cause vomiting, diarrhoea and damage to internal organs if swallowed.
An operator at the plant monitoring the system saw what he assumed to be his boss remotely accessing it at around 8am on Friday morning. Around five-and-a-half hours later the same worker was left bemused as their mouse suddenly started to move while a remote user tried to ramp up the lye levels in the water.
The operator immediately changed the levels back once the attacker had logged-off, according to Pinellas County sheriff Bob Gualtieri.
In any case, it would have taken more than a day for the sodium hydroxide to enter the water supply and redundancies in the system would have spotted the change in pH level and sounded the alarm, explained Oldsmar mayor, Eric Siedel.
“The important thing is to put everybody on notice,” he warned at the press conference. “That’s really the purpose of today, to make sure that everyone realizes that these bad actors are out there; it’s happening, so take a hard look at what you have in place.”
Stuart Reed, UK director of Orange Cyberdefense, argued that the Florida incident is what security experts have been warning about for years.
“The incident in Florida will go down as yet another near miss, but it is clear that critical infrastructure (CNI) will remain a key target for hackers – inaction can no longer be tolerated,” he said.
“CNI organizations need to ensure that a layered approach to cybersecurity is in place, focusing on installing the best and most up-to-date software and technology possible, supplemented by investment in both people and process.”
Karl Sigler, senior security research manager, SpiderLabs at Trustwave, added that any systems used for critical networks should have very limited internet access.
“User accounts and credentials used to authenticate locally on the workstation and for TeamViewer should be changed frequently and utilize multi-factor authentication,” Sigler explained.
“In this instance, it was lucky that the user was physically there to see the remote control and what settings had changed, but all critical activities should be audited, logged and monitored for abuse.”