The attempt to poison a city’s water supply by remotely accessing its ICS underscores the need for cybersecurity assistance at under-resourced critical infrastructure facilities.

On Monday, February 8, a press conference hosted by Pinellas County, Florida, sheriff Bob Gualtieri dropped an industrial cybersecurity bombshell that reverberated worldwide. Gualtieri, along with the mayor and city manager of Oldsmar (population 15,000), revealed that a hacker had infiltrated the Oldsmar water treatment system to change the city’s water supply levels of sodium hydroxide from 100 parts per million to 11,100 parts per million. Sodium hydroxide, also called lye, is a highly caustic chemical that is a key ingredient in liquid drain cleaners.

The hackers gained unauthorized access to an internal industrial control system (ICS), likely using stolen or lost credentials, via TeamViewer, a remote desktop application that allows users to log into systems from afar, a ubiquity across many organizations during the COVID-19 crisis. Gualtieri and the city officials offered only a few other details of the disturbing breach.

The attacker was caught in the act by a water utility employee who happened to see the cursor moving on the screen executing commands which were discovered hours later to be the malicious chemical composition changes. When the changes were discovered, the sodium hydroxide levels were restored to their original levels and no harm was done to the water supply. System checks and redundancies would have caught the deadly changes anyway, the officials maintained.

No one has yet determined whether the hacker was domestic or originated outside the United States. The FBI and the Secret Service are working on an investigation.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Sime Basioli on Unsplash