Hacker successfully infiltrated the computer system controlling the facility processingof water in the US state of Florida and remotely changed a regulation that drastically altered sodium hydroxide (NaOH) levels in the water.
During press conference held yesterday, Pinellas County Sheriff Bob Gualtieri said an employee at a water treatment plant in Oldsmar, Florida, noticed his mouse cursor moving strangely on his computer screen.
At first, he did not worry. The city's 15.000-person water treatment plant used TeamViewer remote access software to allow staff to share control screens and deal with computer issues. And his boss often connects to the computer, to monitor the systems of the installation.
However, a few hours later, the shift operator noticed his mouse moving again. But this time there was no illusion of benign monitoring by a supervisor or an IT person. The cursor started clicking on the controlof the water treatment plant.
Within seconds, the intruder was trying to change the sodium hydroxide (also known as caustic soda) levels in the water supply, moving the setting from 100 parts per million to 11.100 parts per million. At low concentrations, the corrosive chemical regulates the pH level of drinking water. At high levels, it seriously damages any human tissue wherever it touches it.
Immediately the employee managed to take control of the mouse and restore concentration levels before the damage spread. According to the sheriff, the instant regulation did not have a significant effect on the water, and the population was never in danger.
The water treatment facility was apparently breached for approximately 3 to 5 minutes by unknown suspects on February 5, with remote access taking place two times, at 8:00 a.m. and 1:30 p.m. It is not known if the breach was made from within the US or outside the country. Police said the incident is under investigation.
Although early intervention prevented more serious consequences, the sabotage attempt highlights the exposure of critical infrastructure facilities and industrial control systems to cyberattacks.
The fact that the attacker used TeamViewer to take over the system underscores the need for secure access with multi-factor authentication.
Remote access requirements must be minimized. And if they are really needed then they should be done with predefined and strict data, such as from specific IP addresses, with secure access systems (and not through TeamViewer) and with authentication multiple factorsn.