As the above video describes, a remote hacker managed to gain access to computer systems at the water treatment plant in Oldsmar, Florida, and briefly increased the amount of sodium hydroxide in the water by a dramatic amount.
According to the press conference called by Sheriff Bob Gualtieri, Mayor Eric Seidel, and City Manager Al Braithwaite, the unauthorised access to the computer systems was first seen at approximately 8 o’clock in the morning on Friday.
According to what was said at the press conference, the operator at that time did not suspect anything out-of-the-ordinary was occurring “because his supervisor and others will remotely access his computer screen to monitor the system at various times.”
However, at around 1:30 pm the hacker returned, and began to meddle with the plant’s settings:
“…nothing else happened from that initial intrusion at about 8 o’clock on Friday morning until about 1:30 when someone again remotely accessed the computer system, and it showed up on the operator screen with the mouse being moved about to open various software functions that control the water being treated in the system.
“The person remotely accessed the system for about three to five minutes opening various functions on the screen.”
Pinellas County Sheriff Bob Gualtieri explained what happened next:
“The hacker changed the sodium hydroxide from about 100 parts per million to 1100 parts per million. This is obviously a significant and potentially dangerous increase.
“Sodium hydroxide, also known as lye, is the main ingredient in liquid drain cleaners. It’s also used to control water acidity and remove metals from drinking water in the water treatment plants.
“After the intruder increased the parts per million from 100 to 1100, the intruder exited the system, and the plant operator immediately reduced the level back to the appropriate amount of 100.
“Because the operator noticed the increase and lowered it right away at no time was there a significant adverse effect on the water being treated.”
According to officials, other safeguards would probably have prevented the increase in chemicals from successfully reaching the water supply.
According to Sheriff Gualtieri, the public was never in danger and “at no time was there a significant adverse effect on the water being treated.”
But still, thank heavens for the prompt action of the sharp-eyed worker who was able to undo the commands being sent by the hacker to the water treatment plant.
Questions need to be asked about whether remote access to this and other water treatment plants is properly secured. In particular when many workers are doing their jobs remotely, there should be authentication checks in place to ensure that only those who have a legitimate reason to access such sensitive systems are able to do so.
Furthermore, are the home computers being used by remote workers properly defended from hackers who might use them as a way of getting at sensitive parts of a city’s infrastructure?
The FBI and Secret Service are said to be investigating the security breach, and – for now – the remote access system abused by the hacker has been disabled.
I have worked in this field (for over a decade). I know how control systems ought to be configured.
I remain utterly astounded that remote access (we believe TeamViewer) would be permitted on the primary system control computer. How hard would it be to implement a read-only version of the control software for managers to check while they scarf down their eggs and coffee at home each morning?
Fortunately, as they say in the video, there were many down-stream testing points that would have detected the 'odd' chemistry before the water reached consumers – yes, that's how these systems are routinely implemented. Water treatment is a well-understood industry and implementations are pretty-much the same the world over.
I submitted this video to a world-wide SCADA security discussion list of which I am a member and the general consensus was that the failure came from management – "don't make it complicated." Unfortunately, 'complicated' is the enemy of the hacker (and the non-computer literate manager!).
One other note… it seems to me that the 'hacker' didn't really know what he was dealing with or what effect he might have. All he did was change the HaOH level from 100ppm to 11,100ppm. Does that look like someone who found an editable field, clicked at the front and hit '1' twice? Sure does to me.
This looks far less 'organised' than it does 'random.' Oh… and don't get me started on the widely known database of penetrable systems… those who say it was 'targeted' are clueless.
BTW… Graham's commentary says 1100ppm – it was actually 11,100ppm.