Skip to content ↓ | Skip to navigation ↓

An attacker hacked into a Florida city’s water treatment plant and attempted to leverage that access to poison the municipality’s water supply. 

According to WTSP-TV, an operator at the water treatment plant in the 15,000-person City of Oldsmar, Florida noticed someone controlling his mouse cursor on February 5 at around 08:00. 

The operator didn’t think much of it initially. Supervisors had used remote access software on the computer he was monitoring to troubleshoot issues in the past. 

What got the operator’s attention was when the cursor moved again and changed the setting of sodium hydroxide within the water from 100 parts per million (ppm) to 11,100 ppm. 

The University of Florida Academic Health Center noted that sodium hydroxide (lye) poisoning can result in loss of vision, severe abdominal pain and shock, among other symptoms. 

Upon seeing the change, the operator adjusted the sodium hydroxide levels back to 100 ppm.  

Local officials clarified that there were additional safety measures in place that would have also prevented the change. 

Tim Erlin, VP of product management and strategy at Tripwire, explained that the attack was therefore limited from its inception. 

“While this incident will rightfully cause concern, it appears that the likelihood of real damage was minimal due to the fail safes in place. There are real impacts to be worried about, and actions to be taken, but this doesn’t appear to be a sophisticated or novel attack.”  

According to The Washington Post, Pinellas County Sheriff Bob Gualtieri said that the attackers appeared to have compromised and then misused the water treatment plant’s TeamViewer software. But he stopped short of saying how the malicious actors had compromised that software, how they had gained access to the plant’s IT network and how they had ultimately pivoted to the plant’s operational technology (OT). 

WTSP-TV wrote that the water treatment plant had decided to temporarily disable TeamViewer while it worked on preventing a similar incident from happening again. 

Erlin explained that this type of attack demonstrates the types of threats confronting industrial organizations that are pursuing the convergence of their IT and OT assets

“From a cybersecurity standpoint, we should be particularly concerned about how the attacker was able to authenticate into the remote access software,” he said. “That entry point should be very well protected, given that it provides access to such obviously sensitive capabilities. Protecting remote access into industrial systems where these types of changes can be made should be a high priority for any industrial environment.” 

Water treatment plants and other industrial organizations need visibility into their environments in order to monitor for potential problems such as those described above and to use threat modeling along with basic security hygiene to reduce their attack surface. Learn how Tripwire’s ICS solutions can help

Mastering Configuration Management Across the Modern Enterprise