As the above video describes, a remote hacker managed to gain access to computer systems at the water treatment plant in Oldsmar, Florida, and briefly increased the amount of sodium hydroxide in the water by a dramatic amount.
According to the press conference called by Sheriff Bob Gualtieri, Mayor Eric Seidel, and City Manager Al Braithwaite, the unauthorised access to the computer systems was first seen at approximately 8 o’clock in the morning on Friday.
According to what was said at the press conference, the operator at that time did not suspect anything out-of-the-ordinary was occurring “because his supervisor and others will remotely access his computer screen to monitor the system at various times.”
However, at around 1:30 pm the hacker returned, and began to meddle with the plant’s settings:
“…nothing else happened from that initial intrusion at about 8 o’clock on Friday morning until about 1:30 when someone again remotely accessed the computer system, and it showed up on the operator screen with the mouse being moved about to open various software functions that control the water being treated in the system.
“The person remotely accessed the system for about three to five minutes opening various functions on the screen.”
Pinellas County Sheriff Bob Gualtieri explained what happened next:
“The hacker changed the sodium hydroxide from about 100 parts per million to 1100 parts per million. This is obviously a significant and potentially dangerous increase.
“Sodium hydroxide, also known as lye, is the main ingredient in liquid drain cleaners. It’s also used to control water acidity and remove metals from drinking water in the water treatment plants.
“After the intruder increased the parts per million from 100 to 1100, the intruder exited the system, and the plant operator immediately reduced the level back to the appropriate amount of 100.
“Because the operator noticed the increase and lowered it right away at no time was there a significant adverse effect on the water being treated.”
According to officials, other safeguards would probably have prevented the increase in chemicals from successfully reaching the water supply.
According to Sheriff Gualtieri, the public was never in danger and “at no time was there a significant adverse effect on the water being treated.”
But still, thank heavens for the prompt action of the sharp-eyed worker who was able to undo the commands being sent by the hacker to the water treatment plant.
Questions need to be asked about whether remote access to this and other water treatment plants is properly secured. In particular when many workers are doing their jobs remotely, there should be authentication checks in place to ensure that only those who have a legitimate reason to access such sensitive systems are able to do so.
Furthermore, are the home computers being used by remote workers properly defended from hackers who might use them as a way of getting at sensitive parts of a city’s infrastructure?
The FBI and Secret Service are said to be investigating the security breach, and – for now – the remote access system abused by the hacker has been disabled.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.