Skip to content

Illustration by Security Management

Hacker Attempts to Poison Florida City's Water Supply

On Friday, 5 February, a water plant technician in Oldsmar, Florida, watched as someone controlled his computer and increased the amount of sodium hydroxide in the utility's water supply by 11,000 percent (from 100 parts per million to 11,100 parts per million).

In a news conference announcing the security breach Monday, Sheriff Bob Gualtieri of Pinellas County said “This is dangerous stuff. It’s a bad act. It’s a bad actor. It’s not just a little chlorine, or a little fluoride—you’re basically talking about lye.”

Oldsmar is located approximately 15 miles from Raymond James Stadium in Tampa, Florida, and the hack occurred two days before the Super Bowl was played in that stadium. It is not known if the timing and location of the hack is related to the event. In fact, not much is known about the perpetrators at all.

“Cybersecurity experts said the culprit could just as easily be bored teenagers, a disgruntled employee, or a nation-state or contractors doing their bidding,” The New York Times reports. “The process of attributing the attack could take months—or longer.”

Andy Bochman, senior grid strategist with the U.S. Department of Energy’s Idaho National Laboratory, does not think the hack was part of a large-scale attack of the nation’s infrastructure. “With the qualifier that we’re still learning more about this incident, and I don’t have any inside information, this appears to be a very rudimentary attack,” he says. “You would not need a nation-state level of sophistication or capability to conduct this particular attack.”

Because the technician witnessed it happening, the action was quickly reversed, and the water supply was unaffected. In the news conference, Gualtieri noted that other safeguards are in place, including manual monitoring, which would have detected the change prior to the water hitting the city’s water supply. Once detected, water utilities can take mitigation action, up to dumping the bad water before it hits the supply.

Gualtieri told Wired magazine that the hackers appeared to gain access by compromising the water treatment plant’s TeamViewer software, a program that allows remote access and control of a computer. If anything is known about how the software was compromised, the information has not been made public as the investigation continues. The facility has uninstalled TeamViewer since the incident, and other critical infrastructure installations were warned prior to the Super Bowl. However, Gualtieri would not provide details on additional security precautions, such as whether remote access to such controls had been disabled.

Scott Stephens, CPP, is a security consultant with a specialization in water utility security. He is also the former chair of ASIS International’s Utilities Security Council (now the Utilities Security Community). “When I look at the incident,” Stephens tells Security Management, “I’m surprised there is Internet access to the process control system. Best practice is just to not have process control ever touch a system that has an Internet connection.”

He says smaller utilities, which have fewer resources, may have a need for remote monitoring of their water supply. “The municipal water system is a complex chemical system. You might need remote monitoring to watch chemical and supply levels in cases where there might be high demand because of a fire or a water main break or a spike in commercial use, so you can act quickly. But any control action you take can’t be done from an Internet-connected machine,” he adds.

Stephens says he believes most water utilities across the United States do not have this vulnerability—that there is no remote access via Internet-connected devices. He noted that the America’s Water Infrastructure Act of 2018 addresses the issue through its risk and resilience assessments and emergency response plan requirement. In a document from the U.S. Environmental Protection Agency (EPA) designed to help water utilities comply with the act, it says “cyber-attacks on water process control systems are not common. Most reported incidents of cyber penetration into process control systems have occurred where control networks lacked adequate segregation from business enterprise networks.”

Under the act, every water utility is required to certify to the EPA that they have completed their risk assessment and emergency response plan. The deadline for larger utilities to submit their certifications has already passed. For smaller utilities, such as the one in Oldsmar, the deadline is 30 June 2021.

Bochman says the incident should serve as a warning sign. “Most engineers and operators in water plants and other critical industrial engineering settings have very little to no education or training in cybersecurity,” he says.

At the Oldsmar facility, he noted, clearly they had not prepared for the likelihood that someone might attempt to intentionally misuse the access granted by the TeamViewer tool and planned accordingly. “It really reinforces the need for any operators or engineers dealing with systems that can directly affect the health and safety and the public to have a good understanding of their cybersecurity vulnerabilities. They don’t have to be cybersecurity experts, but having some basic knowledge applied to their situation can really save their bacon.”