At Julie Security, we have addressed the scary possibility of utility companies getting hit by cyberattacks and the potential impact on society at large.
Fortunately, many organizations out there make good use of the security technologies available to them, protecting their infrastructures, and such attacks don’t get to become fruitful.
Yet, we sometimes see episodes where highly serious consequences came close to become real. This is the case for the latest cyberattack on a water treatment plant in Oldsmar, Florida.
Pinellas Country Sheriff Bob Gualteri shared on a news conference that a malicious agent yet to be identified carried out two attacks on the water treatment plant’s system on a single day. The second attack, the one that actually succeeded, was aimed at the software that helps operators to troubleshoot issues related to computerized parts of their treatment system.
According to the public statement, plant operators noticed an attack early in the day, countering it successfully before causing any serious damage. Later that day, who is suspected to be the same hacker responsible for the previous attack, achieved to breach into the system.
The criminal immediately proceeded to increase the acceptable level of sodium hydroxide in the water. The system generally uses 100 parts per million of sodium hydroxide, commonly known as lye. What the hacker did was to increase this factor to 11,100 parts per million, considered a highly toxic level of the chemical in the water.
Operators at the water plant noticed the increase and moved quickly to correct the levels. According to the official statement, an undetected change of lye levels in the water like this one could imply high levels of toxicity in the water supply within 36 hours. Fortunately, this wasn’t the case thanks to the staff’s swift actions.
The only reason why this hasn’t become major news all around the world is that an operator was quick enough to counter the hack. If not, we would be reading a very different story, one with a part of the population potentially poisoned.
The software mentioned before, the one that helped operators to troubleshoot problems, enabled full remote access to the system. Now disabled, this shows how much damage a poorly protected system can do.
This hack is clear evidence of how serious a cyberattack on ICS can be. And because we cannot simply isolate infrastructures and their controls from the Internet (operators need to operate, even in the distance), effective protection must be implemented.
While the city is working with the FBI and Secret Service to find the criminal behind the attack, water facilities and other utility companies that power essential service in our society must go the extra mile in protecting their infrastructures, preventing situations like this in the first place.