Hack of Florida town’s water supply one in a growing number of attacks

WASHINGTON — A hacker gained access to a water treatment system in a Florida town last week and boosted levels of sodium hydroxide — otherwise known as lye — to dangerous levels before it was detected and reversed.

That kind of attack has been growing in recent years as more and more industrial control systems are operated through the internet and as information on how to break into them is spreading online.

“This is something we have been observing happening recently, more and more often around 2020,” Daniel Kapellmann Zafra, an analyst at Mandiant Threat Intelligence, a unit of the cybersecurity research firm FireEye, said in an interview. “The reason this is happening is because information about how to interact with these systems, like industrial control systems, is becoming more easily available. … You can find tutorials online.”

Though most incidents tend to be small and don’t result in any physical damage, hackers are sharing information on their exploits in forums, potentially encouraging others to do the same, Zafra said.

Zafra and other analysts believe that the hacker, who has yet to be identified, is likely a novice who may have gained access to the water treatment facility in Oldsmar, Florida, through TeamViewer software, an online collaboration tool that allows users to take control of a remote target computer as if they were in front of it.

It’s not just novices looking for cyber scalps. Criminal gangs deploying ransomware and sophisticated nation-state hackers looking to inflict severe pain also have been scouting for weaknesses in U.S. critical infrastructure systems for years.

In March 2018, the Cybersecurity and Infrastructure Security Agency and the FBI warned that Russian government hackers had launched a “multi-stage intrusion campaign” to target small contractors and suppliers and then used that access to steal login credentials, which they used to gain access to larger U.S. energy-sector networks.

The agencies warned that Russians had targeted “U.S. government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.”

A day after President Joe Biden took office, a group of tech executives representing top utilities and trade associations in the water and energy sectors, known as the National Infrastructure Advisory Council, wrote to the president asking him to boost cooperation between government entities and private companies. The group called for creation of a Critical Infrastructure Command Center so that intelligence agencies can share classified information with private companies about threats as well as fixes.

In the Florida case, Oldsmar’s Sheriff Bob Gualtieri said Monday that the FBI is investigating the incident.

Gualtieri said the attacker gained access to the city’s water treatment computer system twice on Feb. 5, and took advantage of the remote access software used by operators for maintenance.

After gaining access the second time, the attacker, who spent about five minutes in the system, dialed up the level of sodium hydroxide from the usual 100 parts per million to 11,100 parts per million, before exiting the system, Gualtieri said. The chemical is used to alter the pH balance in the water.

Gualtieri and other city officials said the system is designed to take 24 to 36 hours before the altered formula flows into the water supply. An operator noticed the change and reversed the hacker’s settings, Gualtieri said.

“The thing I want to stress is this type of activity, this type of hacking of critical infrastructure is not necessarily limited to to just water supply systems,” Gualtieri said. “It can be sewer systems, it can be a whole variety of things, and it can be really problematic.”

Despite cybersecurity weakness that may expose systems to attacks and mischief, causing physical damage and destruction by hacking industrial control systems requires greater knowledge about how an entire process works and the linkages between online and physical systems, Zafra said.

“It takes some reconnaissance, and the actor has to master different types of fields and understand how the plan works, where the alarms are situated,” Zafra said. While such skills may be beyond the reach of novice hackers, sophisticated criminal gangs and nation-state hackers would be capable of mastering such skills, he said.