According to a Wired Magazine report, on or around 8 a.m. on February 8, 2021, an employee at a water treatment plant in Oldsmar, Florida, noticed that the cursor on his computer was moving strangely. Attempts to get it under control proved fruitless.
Soon, the police were called in. They reported that the unstoppable, uncontrollable cursor was now clicking through the plant’s water treatment controls. Suddenly, it triggered the system to release large amounts of sodium hydroxide, used in small amounts to treat water. The cursor working on its own changed the setting from 100 parts per million of sodium hydroxide to 11,100 parts per million.
At such a high dosage, it would severely damage human skin if touched. You can imagine what would happen if the water were consumed.
As you might assume by now, that cursor was in the hands of a cyber hacker. The Sheriff, Bob Gualtieri, said it was a cyber intrusion to actively sabotage the county’s water supply. “This is dangerous stuff. This is somebody trying, it appears on the surface, to do something really bad.”
Floridians living in this county must count their blessings that the incident was uncovered and stopped before it could cause severe damage. However, the water department, along with the sheriff and public health officials, now must figure out how this happened and how to prevent it in the future.
When it comes to water, this is not a “should we or shouldn’t we” situation. This must be done.
As to how it could have happened, the answer is simple: it was easy. This was not a fluke, says Larry Dietz of TAL Global, a worldwide security and risk management firm. “Attackers have access to very sophisticated technologies. These technologies make it quite easy to break through cybersecurity systems and potentially do serious damage.”
In fact, water and wastewater treatment facilities around the country are now considered high-risk targets for cyberattacks. Further, studies show that each year they are becoming even more vulnerable. According to Dietz, among the reasons this is happening are the following:
- Age. Aging water infrastructure makes these treatment plants more vulnerable to hackers.
- Technology obsolescence. Some of the computer technologies used to operate water treatment plants are several years old, introduced before cyber-attacks were such a high-level concern.
- Lack of funding. This is especially true for all treatment facilities, not just small facilities like this one in Florida. Funding for water infrastructure is limited in the U.S., and this includes updating computer technologies.
- The pandemic.
We need to explore this last point in greater detail. Due to the pandemic, water utility companies have allowed their staff to work remotely, just like most all organizations. This means they now have access to centralized computers through remote access systems.
“The problem is that not only can insiders exploit the convenience of remote access, but intruders and hackers can as well,” says Dietz. “When this happens, risks and danger often follow.”
So, how can we get on top of situations like this and reduce these risks? According to Dietz, among the steps water utility companies and all organizations should take are the following:
- Develop more robust multi-factor authentication systems that are dynamic in their operation·
- Have a thorough risk assessment conducted. Unfortunately most water companies and others will have a good handle on their physical vulnerabilities, but no clue as to their cybersecurity profile.
- Get fresh eyes on the scene to analyze the facility and the computers that operate it is imperative, especially now with so many people working remotely.
- Have a risk assessment conducted. Getting fresh eyes on the scene to analyze the facility and the computers that operate it is imperative, especially now with so many people working remotely.
- Install alarm systems. These are not burglar alarms. Instead, they are triggered when an unusual computer request is made or detected, such as dramatically increasing the sodium hydroxide in water.
Finally, this is not a one-time project. “We must always view security and risk management as a journey,” adds Dietz. “Unsavory characters are getting much more sophisticated. We must always stay one giant step ahead of them.”
To learn more about us, visit our Case Studies page.
As always, we value your feedback, which helps us shape our perspective on recent events, security, and the services we offer.
Chief Executive Officer