Hacker has successfully infiltrated the computer system that controls the water treatment plant in the US state of Florida and remotely changed a regulation that drastically modified the levels of sodium hydroxide (NaOH) in the water.
During press conference held yesterday, Pinellas County Sheriff Bob Gualtieri said an employee at a water treatment plant in Oldsmar, Florida, noticed his mouse cursor moving strangely on his computer screen.
At first, he did not worry. The city's 15.000-person water treatment plant used TeamViewer remote access software to allow staff to share control screens and deal with computer issues. And his boss often connects to the computer, to monitor the systems of the installation.
However, a few hours later, the shift operator noticed that his mouse was moving again. But this time there was no illusion of benign surveillance by a supervisor or an IT person. The cursor started clicking on the water treatment plant controls.
Within seconds, the intruder was trying to change the sodium hydroxide (also known as caustic soda) levels in the water supply, moving the setting from 100 parts per million to 11.100 parts per million. At low concentrations, the corrosive chemical regulates the pH level of drinking water. At high levels, it seriously damages any human tissue wherever it touches it.
Immediately the employee managed to take control of the mouse and restore concentration levels before the damage spread. According to the sheriff, the instant regulation did not have a significant effect on the water, and the population was never in danger.
The water treatment plant appears to have been breached for about 3 to 5 minutes by unknown suspects on February 5, with remote access taking place twice, at 8:00 a.m. and 1:30 p.m. It is not known if the violation took place in the US or abroad. Police said an investigation was under way into the incident.
Although timely intervention prevented more serious consequences, the sabotage attempt underscores the exposure of critical infrastructure and industrial surveillance systems to cyber-attacks.
The fact that the attacker used TeamViewer to take over the system underscores the need for secure access with multi-factor authentication.
Remote access requirements must be minimized. And if they are really needed then they should be done with predefined and strict data, such as from specific IP addresses, with secure access systems (and not through TeamViewer) and with authentication multiple factorsn.