A hacker was able to infiltrate the water system of a Florida city using a remote access software platform that hadn’t been used in months, according to news reports.
The hacker accessed the City of Oldsmar’s water treatment system twice last Friday – once in the morning and once in the afternoon – via remote access software TeamViewer.
According to news reports, officials still aren’t clear on how the malicious actor first gained access to the system, but it could be through compromised credentials, as the system requires a password to be controlled remotely.
CNN, quoting local officials, reported that the hacker attempted to essentially poison the city’s water supply.
Once inside, the hacker adjusted the level of sodium hydroxide, or lye, to more than 100 times its normal levels, Gualtieri said. The system’s operator noticed the intrusion and immediately reduced the level back. At no time was there a significant adverse effect to the city’s water supply, and the public was never in danger, he said.
According to the Tampa Bay Times, sodium hydroxide is used to regulate acidity levels, but it can be dangerous to humans at high levels.
This kind of attack is one that keeps cybersecurity experts up at night. Attacks on infrastructure like water systems can impact millions or citizens as opposed to nation-state attacks that target corporate and government networks.
According to the Associated Press, there are 151,000 separate water systems in the U.S., many of which operate in cities with small IT staffs, and some have no dedicated security staff at all. Water utilities – especially when publicly owned – are prone to funding issues that makes them a soft target for cyber attacks.
As the computer networks of vital infrastructure become easier to reach via the internet — and with remote access multiplying dizzily during the COVID-19 pandemic — security measures often get sacrificed.
“It’s a hard problem, but one that we need to start addressing,” said Joe Slowik, senior security researcher at DomainTools. He said the hack illustrates “a systemic weakness in this sector.”
The hack wasn’t all that sophisticated, cybersecurity experts say. The AP reports that a supervisor monitoring a plant console saw a cursor move across the screen to change settings, and the hacker was inside the system for all of five minutes.
Utilizing remote access software like TeamViewer is a common tactic for hackers seeking the path of least resistance. Simply compromising a user’s credentials to access these platforms gives hackers the keys they need to wreak havoc in an organization’s internal systems.
Despite the apparent lack of sophistication, the intruder was dangerously close to affecting the drinking water for an entire city. It’s time for municipalities – who control so many critical public systems – adequately invest in cybersecurity defenses.