author photo
By Bruce Sussman
Tue | Feb 9, 2021 | 3:15 AM PST

Have you ever purchased a bottle of drain cleaner? A primary ingredient is lye. The chemical burns through clogs, but can also burn your eyes and skin. And it can kill you if you drink too much.

That's why it is so disturbing that a hacker tried to poison a Florida city by spiking the local water with massive amounts of this chemical.

Let's look at the hacker's timeline and movements. After doing so, you'll realize this was not some sort of mishap; it was intentional, and it could have hurt local residents.

We'll also look at the treatment plant's cybersecurity and what we know about it.

Water treatment plant hacked the first time for reconnaissance

There are 15,000 residents in the city of Oldsmar, Florida, who depend on clean water from the city's treatment plant. 

It was Friday morning, February 5th, and the day began like any other. A computer workstation lit up with someone gaining remote access to the water treatment plant, and workers assumed it was a boss who often monitored the systems remotely.

No one knew it at the time, but this was actually the hacker's reconnaissance mission into the water treatment plant's computer network. 

Pinellas County Sheriff Bob Gualtieri explains:

"The initial intrusion at 8:00 a.m. was brief and not cause for concern due to supervisors regularly accessing the system remotely to monitor the system."

In the old days, this would have been akin to a burglar casing the joint, making notes, and getting ready to pull off a crime. 

Water treatment plant hacked second time to poison the water

The morning cyberattack went under the radar, but what happened in the afternoon set off alarm bells among employees who watched it happen.

It's important to note that lye (chemical name sodium hydroxide) is often present at very low levels in water systems. It helps control the acidity in the water and that protects pipes.

In this case, the fact that chemical is present at all created opportunity for the hacker to potentially poison the community.

"At 1:30 p.m., a plant operator witnessed a second remote access user opening various functions in the system that control the amount of sodium hydroxide in the water. The operator noted the remote access user raised the levels of sodium hydroxide in the water. They took that chemical up to dangerous levels."

The attacker boosted the amount of lye being added into the water from 100 parts per million to 11,100 parts per million—an increase of 11,000 percent.

The city believes redundancies in the system would have eventually alerted operators something was wrong, but it was the keen eye of an employee that protected the city of 15,000 people at that instant.

And now the Oldsmar mayor is warning water treatment operators specifically and critical infrastructure facilities in general:

"The important thing is to put everybody on notice, and that's really the purpose of today, to make sure everyone realizes these kind of bad actors are out there, it's happening. And take a hard look at what you have in place."

Florida Senator Marco Rubio is asking the FBI to investigate the cyberattack, calling it a matter of national security.

How did the hacker gain access to the water treatment plant?

Since the attack, we've learned more about how the hacker accessed the plant's digital control panel. And it is raising questions about the security practices in place for this piece of critical infrastructure.

The Pinellas County Sheriff told Reuters that the attacker used a remote access program called TeamViewer to enter the water treatment plant's network.

TeamViewer is a popular tool used by organizations around the world, and the company expects 30% growth in 2021, as work from home continues.

But here's the disturbing part for those in information security: the plant had not utilized TeamViewer in months, and apparently employees did not realize it was still on the computer involved.

And it gets worse.

A cybersecurity advisory for public water suppliers, issued by the Massachusetts Department of Environmental Protection, reveals these details:

"All computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system. Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed."

No firewall? A universally shared password? Computers running the no longer supported Windows 7? These are the things cyber nightmares are made of.

And in this case, the water drinkers in Oldsmar, Florida, can be thankful an employee just happened to see the attacker at work.

For the initial details on this attack, you can watch the press conference with Pinellas County Sheriff Bob Gualtieri, below.

[RELATED: U.S. CISA Alert on Compromise of U.S. Water Treatment Facility]

Comments