In a particularly disturbing cyberattack, a water supply hack in Oldsmar, Florida, could have poisoned that city’s drinking water.

According to the Pinellas County Sheriff’s Office, someone remotely accessed a computer for the city’s water treatment system. They then briefly increased the amount of sodium hydroxide, also known as lye, by a factor of more than 100.

The city’s computer system at the water treatment plant allows for remote access by authorized users to troubleshoot any system problems from other locations.

At no time did the hacker significantly affect the water. And the public was never in danger, the sheriff’s office said.

Cybersecurity experts say this water supply hack isn’t an isolated incident and similar attacks are likely on the horizon.

Jerry Ray is SecureAge‘s COO. He said this attack is one of many. And there will be more given how easily the attacker gained access and nearly control.

SecureAge’s Jerry Ray

“Everyone involved with cybersecurity for critical infrastructure will have to go beyond regulatory compliance, best practices, or anything else that has been generically written or applied,” he said. “They need to look critically at their unique systems and personnel, considering how all of it could be undermined.”

‘Brazen and Clumsy’

The “brazen and clumsy” nature of the water supply hack combined with a seemingly sophisticated awareness of how to poison it through its own treatment processes make this as interesting as it is disturbing, Ray said.

“Without doing the research, attacks on critical infrastructure in the U.S. and internationally happen with regretful frequency, whether on the IT systems (as in this case) or the industrial control systems to which those IT systems are often connected,” he said.

It’s unlikely the attack was by a state-sponsored actor, Ray said. That’s because a plant operator detected the hack through obvious mouse movements.

“Foreign adversaries would more likely find some point of entry into critical infrastructure systems and establish dormant persistence that would only ever be used in some type of battle plan,” he said.

Depending on the motivation and goal, this may or may not have been a successful attack, Ray said.

“The intruder gained control of a machine that connected to control systems and actually changed parameters of the sodium hydroxide added to the water,” he said. “That may have been the extent of the attacker’s goal. Despite a failsafe within the control system that would have prevented the levels from entering the danger zone, the attacker was only that failsafe away from poisoning the water. If that was the goal, the attacker came awfully close.”

Few Skills Required

Chloé Messdaghi is Point3 Security‘s vice president of strategy. She said this attack didn’t require someone highly skilled.

Point3 Security’s Chloé Messdaghi

“Although alarms would’ve been triggered before any dangerous water reached anyone’s taps, this plant was very lucky that the worker noticed his mouse moving and was able to address it quickly,” she said. “Water plants are not known for their security resources. And between budget cuts and COVID-19 keeping people working remotely, they’re even more vulnerable. It’s becoming more and more easy to access systems like these by people who have hardly any experience at all.”

Randy Watkins is CriticalStart‘s CTO. He said the water supply hack underscores the need to re-evaluate the security of critical infrastructure systems.

Critical Start’s Randy Watkins

The attacker gained access to the system controlling chemical distribution through TeamViewer, the installed remote access application, he said. Consumers and small businesses commonly use TeamViewer for support. However, it lacks many of the capabilities that should be required of a critical infrastructure facility.

Detected by Luck

The city was lucky to detect the attack, Watkins said. While reversed quickly, the attack serves as a valuable lesson.

“For those managing critical infrastructure, applying multifactor authentication to a VPN to gain access to a commercial remote access software capable of monitoring all sessions should be the standard,” he said.

Shared Assessments’ Tom Garrubba

Tom Garrubba is Shared Assessments‘ CISO.

“With so much emphasis recently placed on hacks for the health care and financial services industry, an infrastructure hack such as this tends to hit much closer to home as it regards our physical safety,” he said. “As this is the case, it is critical to consistently review and monitor such critical administrative accounts that control such systems.”

If a hack or changes in set tolerances occur, a root cause analysis is imperative, Garrubba said. That will prevent an event from happening in the future.