A remote breach of a Florida city’s water plant is being investigated by U.S. law enforcement officials, advising that hackers attempted to poison the water system serving nearly 15,000 people.
On February 5th, the hack was spotted—and neutralized—in real time by workers at a plant that provides water to Oldsmar, a small town near Tampa, Florida.
Local Sheriff Bob Gualtieri said an anonymous competitor secretly hacked into the plant and sought to increase sodium hydroxide levels by a factor of more than 100.
Sodium hydroxide, also known as lye, regulates the acidity of drinking water, however the public can be physically affected by increased amounts maliciously applied to the water system.
Details of the deal are minimal, but municipal authorities made it known that the availability of water in the city was never compromised.
Sheriff Gualtieri said during a clarification on Monday that the hack was first discovered earlier in the morning in real time by a staffer who detected the remote link to the farm.
The sheriff said the remote access itself was not uncommon, but Sheriff Gualtieri said the intruder returned shortly after lunch on the same day and the plant managers watched as the hackers took hold of the mouse and began running the computer device.
The intruder used the control program for about three to five minutes and jacked up the volume of lye from 100 parts per million to 11,100 parts per million.
When the intruder fled, the move was automatically reversed by the plant managers. “There was no major harmful impact on the water being handled at any time. The public has never been at risk,’ he said.
Cybersecurity analysts have long cautioned that by targeting exposed human-machine interfaces (HMIs), hackers could inflict significant harm to organizations, and the incident in Oldsmar is another example of how fragile those systems can be throughout the critical infrastructure of the country.
In early 2020, after a series of cyberattacks against water infrastructure, the Israeli government released a warning to organisations in the water sector and urged water and energy providers to update the passwords of internet-accessible control systems instantly, limit internet accessibility and ensure that all information for the control system is up-to-date. A group of Iranian hackers shared a video just weeks later demonstrating how they managed to access an industrial control device at an Israeli water plant.