Hacker or Hacker Group Attempt to Alter Chemical Water Treatment Proportions to Inflict Harm to Citizens
A hacker gained access into the water treatment system of Oldsmar, Florida, on Friday and tried to increase the levels of sodium hydroxide — commonly referred to as lye — in the city’s water, officials said, putting thousands at risk of being poisoned.
The incident took place Friday when an operator noticed the intrusion and watched the hacker access the system remotely. The hacker adjusted the level of sodium hydroxide to more than 100 times its normal levels, according to Pinellas County Sheriff Bob Gualtieri.
The operator immediately reduced the level back. At no time was there a significant adverse effect to the city’s water supply, and the public was never in danger, Gualtieri said. It is unknown if the breach happened from someone locally, nationally or even outside of the United States.
“This is somebody who is trying, as it appears on the surface, to do something bad. It’s a bad act. It’s a bad actor,” Gualtieri said. “This isn’t just ‘Oh, we’re putting a little bit of chlorine or a little bit of fluoride, or a little bit of something,’ we’re basically talking about lye that you are taking from 100 parts per million to 11,100.”
Early intervention prevented the attack from having more serious consequences, said Robert M. Lee, the CEO of Dragos Inc., an industrial cybersecurity company. But, he said, this type of attack is precisely what keeps industry experts awake at night.
“It was not particularly sophisticated, but it’s exactly what folks worry about and as one of a very few examples of someone making an attempt to hurt people, it’s a big deal for that reason,” Lee said.
Gualtieri said it would have taken 24-36 hours for the water to reach the system and that there are several redundancies in place that would have alerted that the levels were too high before that happened. The city has taken steps to prevent further access into the system.
The Pinellas County Sheriff’s Office, FBI and Secret Service are jointly investigating the breach, Gualtieri said. The FBI’s field office in Tampa is working with Oldsmar and the sheriff’s office, offering resources and assistance in the investigation.
CNN has reached out to the Secret Service for comment.
Florida Sen. Marco Rubio wants the hacking of the water treatment system handled as a national security measure, he tweeted Monday.
“I will be asking the @FBI to provide all assistance necessary in investigating an attempt to poison the water supply of a #Florida city,” the tweet read. “This should be treated as a matter of national security.”
Sodium hydroxide, also known as lye, is the main ingredient in liquid drain cleaner, Gualtieri said.
Symptoms of sodium hydroxide poisoning include breathing difficulties, lung inflammation, throat swelling, burning of the esophagus and stomach, severe abdominal pain, vision loss, and low blood pressure, according to the University of Florida Health System.
Long-term effects of poisoning depend on how fast the poison is diluted or neutralized in the system. Damage to the esophagus and stomach can continue to occur for several weeks after the poison was swallowed. Death can occur as long as a month later. It is unknown if the increased levels in Oldsmar would have led to any of these symptoms. Oldsmar, a city made up of about 15,000 people in Pinellas County, is about 17 miles west of Tampa.
Operational Technology (OT) Cyberdefense & Countermeasures
OT and IoT critical infrastructure is on the rise, right up there with the healthcare industry. The success of this initiative creates mass disruption to the combination of the physical world and our health. OT/IoT businesses must work with cybersecurity experts to mitigate and stop these breach attempts as close to the source as possible. In this use case example, the chemical proportions were caught by a manual water treatment technician before the system initiates the physical dispersement of chemicals. But, what happens when the attack chain becomes more intelligent and a more sophisticated approach is used next time to change the readout of the proportions, or disables the alert to the on duty technicians?
How do we stop this threat from ever taking root? Sniper Watch has worked with enough OT businesses to know that some, but not all treatment facilities lock down their environments to the outside, as there are reports and statistics that must be sent to an authority. In addition, there typically is a reduced network & cybersecurity workforce on staff, and the engineers/administrators are commonly tasked with projects and initiatives in which they cannot be everywhere, all the time.
There is no silver bullet to a comprehensive approach to cybersecurity, however, injecting an array of the right techniques would stop this attack dead in its tracks. A combination of Identity Access Management and Network Access Control, with device tracking and alerting and Multi-Factor Authentication, the water treatment facility or Solution Provider would have known about the presence of this access before they could access the system and alter the critical elements. At this point, the attacker has gained evidence and artifacts in which they now know the lay of the land, the IP addressing hierarchy, the security, the controls and other proprietary elements that can be staged for the next attack.
If you are looking for a partner who can help you set these landmines through deception technology, visibility and enforcement, please feel free to reach out to us to have a conversation.