A pc intruder tried to poison the consuming water of town of Florida with lye
Someone broke into the computer system of a water treatment plant in Florida and tried to poison drinking water for the approximately 15,000 residents of a Florida community, officials said on Monday.
The intrusion came on Friday evening when an unidentified person remotely accessed the computer interface that was used to set chemicals for drinking water treatment in Oldsmar, a small town about 25 km northwest of Tampa. The intruder changed the sodium hydroxide level to 11,100 ppm, a marked increase from the normal level of 100 ppm, Pinellas County Sheriff Bob Gualtieri said in a news conference Monday morning.
Press conference on penetrating the sewage treatment plant
A press release is here.
Better known as alkali, sodium hydroxide is used in small amounts to treat the acidity of water and remove metals. It's also the active ingredient in liquid drain cleaners. It's higher, it's poisonous. Had the change not been reversed almost immediately, it would have increased the amount of chemicals to toxic levels.
"This is obviously a significant and potentially dangerous increase," Gualtieri told reporters. “At no point was there a significant adverse effect on the water being treated. The important thing is that the public was never in danger. "
The authorities have not made any arrests to date but are following several leads. Gualtieri said it was not clear whether the intrusion came from inside or outside the US. Both the FBI and the Secret Service are investigating too. The sheriff's department has alerted local authorities to the attack and recommended that their water treatment systems and other infrastructure be checked for signs of a violation.
The first signs that something was wrong came on Friday morning when a facility operator noticed someone was remotely accessing a system that controls chemicals and other aspects of the water treatment process. Gualtieri said the operator didn't think much about the incident as his manager and staff regularly logged into the remote system to monitor operations.
At around 1:30 a.m. on the same day, the operator then watched someone remotely access the system again. The operator could see the mouse being moved on his screen to open various functions that controlled the treatment process. The unknown person then opened the function that controls the input of sodium hydroxide and increased it 111 times. The intrusion took three to five minutes.
The operator immediately changed the setting back to the normal 100ppm, the sheriff said. Even if the malicious change had not been reversed, the other routine procedures at the facility would have reached dangerous levels before the water was available to residents. It takes 24 to 36 hours for treated water to reach the supply system. Toxic water was never released.
The incident is sure to renew the debate about whether processes for utilities and other critical infrastructure should be exposed to the internet. The Pinellas County Sheriff's Department didn't immediately respond when asked if the utility needed personnel to use two-factor authentication to remotely access interfaces like the one at Oldmar. Reuters cited an interview with Gualtieri and reported that Teamviewer was the application that was used to provide remote access, but the department did not immediately respond to that question either.
Jake Brodsky, an engineer with 31 years of experience in the water industry, said it was by no means uncommon for water utilities to provide such interfaces remotely. While disapproving of the practice, he said that Gualitieri was likely right when he said the public was never in danger.
"There are a number of different things [water utilities] they are looking for and if they see something unusual they can isolate the storage water," he said in an interview. "The risk is relatively small here as long as you recognize it early enough and there are several checks before this happens."
If intruders can tamper with a process remotely, they can potentially tamper with the existing security redundancies as well. If Brodsky Oldsmar advised officials on better securing their water treatment plant, "I would probably turn off remote access first, and it costs next to nothing," he said. If remote access is required, as is occasionally the case, connections should be manually permitted by someone physically present, and access should be interrupted after a short period of time.
"I cannot imagine leaving such a connection open and exposed to the world," said Brodsky. “It's cheap and easy. You just call the operator and get access. "