Geo-Poli-Cyber Hackers successfully Breach Florida’s Treatment System to Remotely Poison Water Supply
Hackers successfully infiltrated the computer system controlling a water treatment facility in the U.S. state of Florida and remotely changed a setting that drastically altered the levels of sodium hydroxide (NaOH) in the water.
The water treatment facility, which is located in the city of Oldsmar and serves about 15,000 residents, is said to have been breached for approximately 3 to 5 minutes by unknown suspects on February 5, with the remote access occurring twice at 8:00 a.m. and 1:30 p.m.“
For years we have been warning governments about the threats to water reservoirs. Some paid attention, were proactive and implemented improved nationwide mandatory standardized risk mitigation protocols. Others did not, but chose to do more consultations with their traditional vendors and remained following ‘best practices’ which left their reservoirs and people more vulnerable,” said an MLi Group National Cyber Survivability and Security expert.
The expert later added, “critical national infrastructures’ exposure to vulnerabilities pause a direct threat to National Survivability and Security which can no longer be effectively mitigated if you are still following ‘best practice’ models”.
The hackers increased the amount of sodium hydroxide from 100 parts-per-million to 11,100 parts-per-million using a system that allows for remote access via TeamViewer, a tool that lets users monitor and troubleshoot any system problems from other locations.
The MLi Group expert added, “It is not immediately known if the hackers were operating from within or from outside the United States. But what is clear is that their motivation was not financial but one to inflict maximum damage and get international publicity at the cost of innocent civilians lives. This leads us at the MLi Group to classify this cyber attacks as a ‘”Geo-Poli-Cyber” motivated cyber attack“.
Sodium hydroxide, also known as lye, is a corrosive compound used in small amounts to control the acidity of water. In high and undiluted concentrations, it can be toxic and can cause irritation to the skin and eyes.
Although the vigilance of the operator, combined with an element of luck, combined to avert more serious and possibly deadly consequences, this event should act as a warning signal to many governments and local authority decision makers. The ineptness of currently followed risk mitigation processes and protocols, as well as the defence strategies and solutions followed are leaving critical national infrastructure, their facilities and industrial control systems too vulnerable cyberattacks, especially Geo-Poli-Cyber motivated ones.
Although Pinellas County Sheriff Bob Gualtieri was eager to restore confidence when he said the press conference “At no time was there a significant effect on the water being treated, and more importantly the public was never in danger,” the fact remains that a hacker was able to leverage TeamViewer to take over the system underscores the gravity of the vulnerability exposure.