The FBI, the Secret Service, and the Pinellas County Sheriff's Office are currently investigating an attempted poisoning of a city by an individual or group of hackers that occurred Friday last week. If it hadn't been caught in time, at least 15,000 people could have been affected.
In a Monday press conference, Pinellas County Sheriff Bob Gualtieri revealed details of this attack to the press.
"On Friday morning, of about 8 o'clock, a plant operator at the Oldsmar water treatment facility noticed that someone remotely accessed the computer system that he was monitoring," Sheriff Gualtieri said. This was, apparently, the first unauthorized attempt to remotely access the system. The connection was brief, so the operator didn't think much of it as his supervisor and other colleagues would also randomly log in to the computer he's monitoring.
It seems the attacker had gained access to a remote desktop application used by the plant's operators to access the water facility's computer system.
"...about 1:30 (PM), when someone again remotely accessed the computer system and it showed up on the operator screen with the mouse being moved about to open various software functions that control the water being treated in the system. The person remotely accessed the system for about 3 to 5 minutes opening various functions on the screen. One of the functions opened by the person hacking into the system was one that controls the amount sodium hydroxide in the water."
Sodium hydroxide, also known as caustic soda or lye, is used to treat acidity in water by raising its pH levels and removing heavy metals. Too much lye in water could cause skin burns and rashes—something residents in a small town in Massachusetts had experienced when they had a water supply treatment problem back in 2007.
Sheriff Gualtieri continues, "The hacker changed the sodium hydroxide from about 100 parts per million to 11,100 parts per million. This is obviously a significant and potentially dangerous increase."
After the attacker left the system, the operator quickly reduced the lye concentration level back to 100 parts per million.
Thankfully, this short adjustment by the hacker didn't deal any adverse effect on the the water being treated. No lye reached homes, thus no one was ever in danger. Moreover, the water treatment plant have redundancies in place, so if anyone missed this adjustment, the system would have caught the change in the pH levels in the water.
As of this writing, the Pinellas County Sheriff's office don't have a suspect but are following leads.
Attacks on vital infrastructure are among the "worst case scenario" cyberattacks that every professional in the industry fears. "Stuxnet", a malware weapon designed to damage Iran's nuclear centrifuges has become the poster child of such attacks.
However, there is no indication that this was a terrorist attack, or even that it was an attack targeted at the Oldsmar facility specifically. It may simply have been an act of vandalism. Internet-connected Industrial Control Systems (ICS) are not difficult to find.
Thankfully, this attack was not successful, but it is a timely reminder that the first priority for security often isn't the zero-day busting, APT-stopping sort of work, but unglamorous grunt work like air-gapping, patching, enforcing strong passwords and 2FA, and taking inventory.
"The important thing is to put everyone on notice," Oldsmar Mayor Eric Seidel said, "These kinds of bad actors are out there. It's happening. So really take a hard look at what you have in place."