A cyber attacker attempted to poison a Florida community’s water supply by breaking into the city’s water treatment plant. On February 5, an operator at the water treatment plant in the town of Oldsmar, Pinellas County, noticed someone was controlling his mouse. The operator initially did not think much of the activity, reported WTSP TV.
The computer system he was monitoring at the time was equipped with remote access software that managers could use to troubleshoot problems from different locations. But there was no doubt as the operator watched his cursor open various functions on the screen and adjust the amount of sodium hydroxide in the water from 100ppm to 11,100ppm.
Per University of Florida Academic Health Center, Sodium hydroxide poisoning can cause breathing difficulties, burns to the esophagus and stomach, loss of vision, shock, and / or holes in the skin or tissue under the skin. At the time of this writing, it was unclear whether the levels at which the attacker set the sodium hydroxide in the water would have caused these symptoms.
In response to the observed attack, the operator immediately reduced the sodium hydroxide in the water to the previous level. This early intervention prevented the caustic soda from reaching 11,100 ppm, a process that was loud CNN would have taken 24-36 hours.
Oldsmars Mayor Eric Seidel and City Manager Al Braithwaite noted that there were also several failsafe and alarm systems in the water treatment plant that would have prevented the sodium hydroxide from reaching these levels even if the operator hadn’t noticed the change.
Braithwaite went on to explain that the water treatment plant temporarily disabled remote access software while it was working to prevent a similar security incident as this one from occurring in the future.
In a press conference on February 8, Pinellas County Sheriff Bob Gualtieri said the identity of those responsible for the attack was unknown, but that he was working on some clues as part of his ongoing investigations with the FBI and US intelligence.
US Senator Marco Rubio (R-Florida) tweeted that the attack “should be treated as a national security matter.”
Cybereason insights into the attack
To get an expert perspective on the attack, I spoke to Cybereason CSO Sam Curry. Here’s what he had to say.
David Bisson: What does this attack say about the broader digital threat landscape?
Sam Curry: With U.S. intelligence and the FBI involved in identifying the cyber criminals who tried to poison Oldsmars water supply, this is another reminder that cyber threats against critical infrastructure networks are real. For almost a year since the beginning of the COVID-19 pandemic, threat actors have waged numerous acts of war against research companies, hospitals and other first responders. These attacks were bold, shocking and downright insane.
DB: Interesting. Was there anything that particularly shocked you about this attack?
SC: The surprising thing about manipulating the chemical levels in Florida’s water supply is that the bad guys have given up without first doing feasibility studies or storing attacks for later use. What we don’t know is whether there have been any successful attacks in the past few months and just not publicly reported on the news.
DB: That’s a good point. And what about the attackers? Do you have any idea who they might be or who would like to launch such an attack?
SC: It is premature to infer the motive of the attackers and who they are. The actors at this point can be screenplay kiddies, terrorists, criminals, nation-state agents, or any other actor. The right response should be a proper process: investigate, understand, learn, improve, track the investigation and the data, and keep getting better. Acts of war are determined by the state and between states. The details are sparse so far, but we will all listen to the autopsy and we hope that the current administration will provide a deeper answer and hold the opponents responsible for this act accountable. To be clear, the investigation is what matters. It remains to be seen where it will lead, who it will affect and how we will interpret it.
DB: Understood. So where are the organizations in the meantime?
SC: These types of attacks show how organizations can no longer rely on indicators of compromise (IOCs) to protect themselves from attackers. Not when malicious actors launch unique attacks on individual targets. We’re entering a new phase of digital security where it’s all about Use Indicators of Behavior (IOBs) to understand the entire chain of attacks and detect threats earlier. If organizations want to minimize the likelihood of a security breach, this is the direction they need to go.
Companies don’t have to go alone in this regard. Find out how Cybereason can help.