Hackers attempt to poison Florida city's water supply

by Mark Tyson on 9 February 2021, 13:11

Quick Link: HEXUS.net/qaep6i

Add to My Vault: x

News reports indicate that an unknown hacker attempted to poison the water of a city in Florida by remotely accessing the software that controls water treatment chemicals. Luckily a plant operator observed and reversed the changes fast enough to make them ineffective. Furthermore, the water treatment plant has monitoring infrastructure which would have detected the change before it reached public supplies, say sources. Local law enforcement, FBI and Secret Service investigators are looking into this malicious act but we don't have information as yet about the source of the hack - whether it was a Floridian, someone from elsewhere in the US, or a foreign individual or organisation.

At about 8am Friday, Hackers accessed the computer facility at the water treatment centre in the town of Oldsmar, Florida. This facility controls water supply to approx 15,000 residents. An operative saw someone remotely accessing the water treatment system via TeamViewer but had noticed his supervisor do this previously many times. At 1.30pm the same day the unknown actor returned and this time accessed the water treatment controls for 3 to 5 minutes, increasing the sodium hydroxide being added to the water supply from 100 parts per million to 11,100 parts per million.

When the attacker left the system, the observant operator quickly dialled back the concentration to 100ppm. The malicious act was caught in plenty of time, be fore any other process safeguards were triggered. "At no time was there a significant adverse effect on the water being treated," County Sheriff Bob Gualtieri said. "Importantly, the public was never in danger."

No experts have speculated what ill effects water with such a concentration of Sodium Hydroxide might cause. In concentrated form the chemical is a strong alkali, also known as caustic soda, and can destroy skin and hair cells. It is a common ingredient in drain cleaners (dissolving fat, oil, grease etc) but in very dilute applications like in the water treatment industry it helps control water acidity and remove any poisonous heavy metals.

In 2007 the water of a town in Massachusetts was accidentally treated with too much sodium hydroxide, causing burns and skin irritation among people who showered with it. However, I don't have the NaOH ppm concentration figures for that accident.

This foiled attack is another 'wake-up call' or warning regarding the cyber-security of national infrastructure, utilities, health facilities and so on. Hopefully the perpetrators will be swiftly brought to justice by state and federal authorities.

Sources: Tampa Bay Times, Reuters.

HEXUS Forums :: 25 Comments

Login with Forum Account

Don't have an account? Register today!
Posted by AnonAnon - Tue 09 Feb 2021 13:36
So probably a teamviewer vulnerability?
Posted by Pob255 - Tue 09 Feb 2021 13:55
after a search it's hard to find info on safe levels of NaOH
I've found 500mg/kg injested is a lethal dose for a rabbit
Aerosol 2mg/m3 is minimum safe levels for no more than 8hours
and 10mg/m3 is rated as “immediately dangerous to life or health”

but nothing about drinking water safety levels

so 1mg per kg = 1 part per million
so it was changed from 100mg to 11100mg or a 1% solution
Looks like it would of been very bad
Posted by Otherhand - Tue 09 Feb 2021 13:55
In a sane world, this “wake-up call regarding cyber-security” would result in the complete removal of online control and an increase in the staff budget to always have a plural number of staff physically on site at all times.

But I bet they give multiple millions to a software company instead, to add new protections that the plant owners won't understand and won't be able to evaluate.
Posted by Zhaoman - Tue 09 Feb 2021 14:11
Pob255
after a search it's hard to find info on safe levels of NaOH
I've found 500mg/kg injested is a lethal dose for a rabbit
Aerosol 2mg/m3 is minimum safe levels for no more than 8hours
and 10mg/m3 is rated as “immediately dangerous to life or health”

but nothing about drinking water safety levels

so 1mg per kg = 1 part per million
so it was changed from 100mg to 11100mg or a 1% solution
Looks like it would of been very bad

Nothing on NaOH but the drinking water standards do specify maximum levels of Na at 200mg/l https://www.legislation.gov.uk/uksi/2016/614/schedule/1/made
Perhaps NaOH would be captured in that.
Posted by cheesemp - Tue 09 Feb 2021 14:13
Otherhand
In a sane world, this “wake-up call regarding cyber-security” would result in the complete removal of online control and an increase in the staff budget to always have a plural number of staff physically on site at all times.

But I bet they give multiple millions to a software company instead, to add new protections that the plant owners won't understand and won't be able to evaluate.

This is the problem - you can setup really good security but for ‘convenience’ someone can stick teamviewer on and bust straight through. Security is only as good as the lowest paid operator. (The sad thing is decent secure remote desktop is possible but it needs an expert to install it correctly and that's expensive.)

I suspect this firm doesn't even have a proper IT security team (or basic unsecured teamviewer would have never been used!).

SEE NEWER »