cybersecurity water hack
Learn steps to prevent an attack for your water system.
Pumps & Systems

The city of Oldsmar, Florida nearly had its water system poisoned after a hack in early February. According to the Tampa Bay Times and other media outlets, citing Pinellas County Sheriff Bob Gualtieri, someone remotely accessed a computer for the city’s water treatment system and briefly increased the amount of sodium hydroxide by a factor of more than 100.

But how could this have happened? Maybe a bigger surprise was that it became public in the first place.

Janine Nielsen, the North America business development manager, for the water/wastewater industry at Rockwell Automation, shared with Pumps & Systems magazine that there are everyday cybersecurity threats that do not make the headlines.

“The [Florida] city water hack is a stark reminder that the growing digitalization of critical structure brings upon advanced technological benefits,” Nielsen said. “But that also means there are needs to be built on to create a safe, secure and resilient network infrastructure.”

Oldsmar provides water directly to its businesses and roughly 15,000 residents, Gualtieri said. The water treatment plant was set up to allow authorized users to access it remotely. The plant operator noticed someone accessed the system remotely on Friday, Feb. 5., at 8 a.m., but did not think twice about it because his supervisor would access it remotely.

Later that day, it was remotely accessed again. This time, he said, the plant operator watched as someone took control of the mouse, directed it to the software that controls water treatment, worked inside it for three to five minutes and increased the amount of sodium hydroxide from 100 parts per million to 11,100 parts per million.

The plant operator immediately reset the settings to 100 parts per million. Even if he had not caught it immediately, it would have taken more than a day for the changes to affect the system.

“At no time was there a significant adverse effect on the water being treated,” Gualtieri said. “Importantly, the public was never in danger.”

The sheriff’s office has launched an investigation, and if the attacker is apprehended, they will face state felony charges and possible federal charges. Florida senator Marco Rubio said it should be treated as a matter of national security.

“Based on the Joint Cybersecurity Advisory from the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency (EPA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) dated Feb.11, 2021, the recent Florida water treatment facility experienced a dangerous breach which unidentified actors likely gained access to their Supervisory Control and Data Acquisition (SCADA) system via remote access software, TeamViewer, with a shared password, lack of a firewall or an outdated Microsoft Windows operating system,” Nielsen said.

“The major effects of this intrusion are that the hackers gained remote access to a computer that controlled the chemical doses of an amount of sodium hydroxide or lye into the drinker water. This tampering could cause severe sickness and death to residents. However, the residents would have not been in danger because water systems are engineered with redundancies that would catch these dangerous conditions before it reached the community.”

Nielsen shared several ways for a hack like the one seen in Florida to be prevented.

  • The first step to prevent this type of breach is to conduct an assessment to identify all physical assets and software connected to the network, including all remote assets.  
  • The second step would be to build a secure network design which should include a supported operating system.
  • The third step is to always practice cybersecurity hygiene.
  • And lastly, the fourth step is to implement ongoing training of the workforce on security protocols.

“The best offense is a good defense which is building a plan to protect your control system,” Nielsen said.

SOURCE: Tampa Bay Times