A hacker accessed the computer system at a water treatment plant in Oldsmar, Fla., on Friday and tried to poison it, law enforcement authorities said.
The hacker attempted to increase the level of sodium hydroxide in the treated water. Sodium hydroxide, or lye, is the main ingredient in liquid drain cleaners. It helps control water acidity and removes metals from drinking water. The hacker tried to increase the level from 100 parts per million to 11,100 parts per million.
While Oldsmar is only a few miles from the stadium in Tampa Bay where the Super Bowl was being played, a motive for the attack remains unclear.
“Because the operator noticed the increase and lowered it right away, at no time was there a significant adverse effect on the water being treated,” [Pinellas County Sheriff Bob] Gualtieri said. “Importantly, the public was never in danger.”
Gualtieri noted that even if the worker had not intervened right away, it would’ve taken between 24 and 36 hours to hit the water supply system and that there are other safeguards in place where the water would have been checked before it was released.
Although the hack was discovered on Friday morning, police weren’t notified until Friday afternoon.
Police were notified of the incident late Friday afternoon, and the dapartment’s digital forensics unit has been working to determine the cause for the breach and to identify the individual or individuals responsible. Gualtieri added that while the suspect remains unknown, police have leads that they are following.
It is currently unknown why the Oldsmar system was targeted and whether the breach originated from inside the United States or outside of the country. Gualtieri noted that police have “no knowledge of any other systems being unlawfully accessed.”
Isn’t this kind of amateurish?
A plant operator was monitoring the system at about 8 a.m. Friday and noticed that someone briefly accessed it. He didn’t find this unusual, Gualtieri said, because his supervisor remotely accessed the system regularly.
But at about 1:30 p.m. the same day, Gualtieri said, someone accessed the system again. This time, he said, the operator watched as someone took control of the mouse, directed it to the software that controls water treatment, worked inside it for three to five minutes and increased the amount of sodium hydroxide from 100 parts per million to 11,100 parts per million.
The attacker left the system, Gualtieri said, and the operator immediately changed the concentration back to 100 parts per million.
The operator said he watched the cursor moving back and forth across the screen. You would think a terrorist would be a little more stealthy than that.
This should be a wake-up call to electrical plants, water treatment facilities, pipelines, and any other “critical infrastructure” that’s vulnerable to outside penetration of their systems. Since the 9/11 attacks, there have been warnings about terrorists attacking these “soft targets” and, as a whole, not enough has been done to protect the public.
The Oldsmar water treatment system was vulnerable because it wasn’t careful enough in granting remote access to its system. That problem will no doubt be fixed. Other systems will remain easy targets for terrorists unless we wake up and realize this cyberwar is 24/7, 365 days a year.