Hacker tried to poison Florida city’s water supply
As an employee at a water treatment plant watched, a hacker took control of his computer and changed chemical controls to dump lye into the drinking water of Oldsmar, Fla., a city of 15,000 near Tampa.
At about 8 a.m. on Feb. 5, a worker at the Oldsmar water treatment plant noticed that his computer was being remotely accessed by TeamViewer, a popular desktop control application that allows IT staff and supervisors to monitor operations and troubleshoot enterprise computers in remote locations. The worker “didn’t think much of it,” Pinellas County Sheriff Bob Gualtieri said at a Feb. 8 news conference, because such remote access was not unusual.
The intruder returned later that same day, moving the employee’s mouse to open functions that control water treatment protocols, including one that adjusts the amount of sodium hydroxide, or lye, in the water. The hacker changed that level from about 100 parts per million to 11,100 parts per million, potentially endangering Oldsmar residents. Fortunately, the operator who was watching the intruder’s movements immediately reduced the chemical to the appropriate level and notified a supervisor.
Such attacks on utility control systems are not unusual, according to Lesley Carhart, a principal threat analyst at Dragos, an industrial control system security firm. Carhart told Wired that even unsophisticated hackers can find thousands of connected systems with tools like Shodan, a search engine that lets users find specific types of internet-connected devices.
According to Carhart, water treatment and sewage plants are vulnerable targets, especially during the pandemic when some workers are remote and IT staff are under-resourced. It’s usually the complexity and redundancies built into industrial control systems that prevent hackers from causing serious consequences, she said.
Oldsmar’s water treatment plant has several redundancies in place to catch unexpected changes.
“If you change the…