A small municipal water supply was briefly tainted by a dangerous chemical. Luckily, the problem was quickly spotted and the hazard avoided.
Local police say the strong alkali was added by a hacker interfering with a water treatment facility in Oldsmar, Florida (pictured). The deadly compound is useful in tiny quantities, but the hacker multiplied the dosage by more than 100.
It’s another reminder of the risks of putting SCADA systems on the internet. In today’s SB Blogwatch, we crack open a delicious Évian.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: John D. Boswell wants you to think next time you blink.
TeamViewer Vulnerability Probed
What’s the craic? Christopher Bing reports—“Hackers try to contaminate Florida town’s water supply through computer breach”:
?Hackers broke into the computer system of a facility that treats water for about 15,000 people near Tampa, Florida and sought to add a dangerous level of additive to the water supply, the Pinellas County Sheriff said. … The hackers remotely gained access to a software program, named TeamViewer, on the computer of an employee at the facility for the town of Oldsmar. … The hackers then increased the amount of sodium hydroxide, also known as lye, being distributed into the water supply. The chemical is typically used in small amounts to control the acidity of water, but at higher levels is dangerous. … The water treatment facility was able to quickly reverse the command, leading to minimal impact. [It] also had other controls in place that would have prevented a dangerous amount of lye from entering the water supply unnoticed. … The FBI and Secret Service have been called in to assist in an investigation.
What happened? Jaclyn Peiser tells the story—“A hacker broke into a Florida town’s water supply”:
?A plant operator at a water treatment facility in Oldsmar, Fla., noticed his mouse dash around his screen. For three to five minutes … he tracked the arrow as it clicked open one software function after another until it finally landed on the controls to the water’s levels of sodium hydroxide … the main ingredient in liquid drain cleaners. … Then, he watched the hacker who’d taken control of the system raise the levels of sodium hydroxide by more than 100 fold, according to police — a hazardous level that could sicken residents and corrode pipes. The operator was able to quickly fix the levels moments after. … But the near miss incident was the latest alarming sign that critical infrastructure in the United States is vulnerable to cyberattacks. In July, the Cybersecurity and Infrastructure Security Agency warned that infrastructure like water and power plants … make “attractive targets for foreign powers attempting to do harm to U.S. interests or retaliate for perceived U.S. aggression.” … Sen. Marco Rubio (R-Fla.) said he was asking the FBI to “provide all assistance necessary” in the investigation. … So far, police have not identified suspects but said they are following a few leads. Authorities also don’t know if the hacker was foreign or domestic and are unclear of the motive.
Sounds like they got nothing. Florida man Jack Evans writes—“Someone tried to poison Oldsmar’s water supply”:
?Nobody has been arrested … Pinellas County Sheriff Bob Gualtieri said … though investigators have some leads. They do not know why Oldsmar was targeted, he said. … Investigators don’t yet know whether the attack originated within or outside Pinellas County, Florida or the United States. If the attacker is apprehended, [Gualtieri] said, they’ll face state felony charges and possibly federal charges. … The computer system at the water treatment plant was set up to allow authorized users to remotely access it for troubleshooting. [Gualtieri] added that other area municipalities have been alerted to the attack and encouraged to inspect the safeguards to their water treatment systems and other infrastructure. … Contact with sodium hydroxide can kill skin and cause hair loss. … Ingestion can be fatal. … In 2007, the water of a town in Massachusetts was accidentally treated with too much … causing burns and skin irritation.
Yikes. Bernard Meyer is sorry-not-sorry—“The sorry state of critical US infrastructure security was never a secret”:
?Despite growing investments in critical infrastructure security, many [industrial control system] (ICS) panels in the US [are] still unprotected and easily accessible to threat actors. … In January 2020 … we found multiple unprotected control panels for water and sewage treatment facilities in cities and towns just like Oldsmar, Florida. … Other cities’ water systems were also vulnerable, including Ladonia, Texas and St. Bonifacius, Minnesota. … We also found a public sewer pump station in Scituate, Massachusetts to be vulnerable, as well as various coastal and onshore oil wells. … We were shocked to discover that virtually anyone with a specific skill set could cause harm to critical US infrastructure. From silencing alarms on oil wells, to infecting the water supply, to causing city-wide water outages, such cyberattacks could physically affect untold numbers of people. … Many government institutions and security companies in the US were well-aware that ICS systems [are] extremely vulnerable to cyberattacks. However [there’s] a lack of urgency and institutional will to ensure adequate protection for all ICS systems. … And the Oldsmar water treatment facility hack seems to be the (entirely avoidable) result.
Why this city? subsubzero is glad you asked:
?Why this city you ask?
Well the Superbowl was being played that weekend a few miles away on Sunday and so there was a large amount of media and visitors in town for the game. … Glad they reverted it as who knows what would have happened if left unchecked.
That’s scary. 99 Bottles takes one down and passes it around: [You’re fired—Ed.]
?Most small water systems aren’t staffed 24/7. They’re lucky to have enough people to maintain basic operations during the day.
It mostly comes down to dollars. Getting people to understand and pay the true cost of water is a huge issue for small systems.
Follow the money. ac29 agrees, and isn’t at all surprised:
?In a perfect world, maybe there would be unlimited budgets for small rural water districts to have 24/7 onsite staff and run highly secured networks.
I regularly work with these sorts of water districts. … In reality, some of these small districts may only have [two or three] operators on staff. Sending them home with a pager, a tablet, a VPN password, and some overtime pay is a lot easier to get past the city council then taking on another two employees to cover the night shift for those rare events that need to be handled ASAP.
I could share some real horror stories, but it wouldnt be professionally appropriate. Suffice to say, this story did not surprise me at all.
So is this a job for better authentication? ahodgson swearily says no:
?Anything that can kill people should be adequately protected. 2FA is not the answer to something that can ***ing kill people. [Instead] don’t connect it to the bloody Internet in the first place.
Meanwhile, bilbo0s digs deeper:
?All the patches and upgrades in the world won’t help if some dingbat installs TeamViewer and leaves it running.
“Space is big. Really big. You just won’t believe how vastly, hugely, mind-bogglingly big it is.”
Previously in And Finally
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.