On Feb. 5, 2021, a plant operator for the city of about 15,000 on Florida’s west coast saw his cursor being moved around on his computer screen, opening various software functions that control the water being treated.
The Friday before the Super Bowl in Tampa Bay, a hacker gained access to the control systems for the Oldsmar Water Treatment facility and increased the sodium hydroxide levels in the city’s water from 100 parts per million to 11,100 parts per million. If allowed to reach the public, the results could have been lethal.
Sodium hydroxide in small amounts is used to keep water systems clean. However, the compound also is used in cleaning supplies such as drain cleaners. In higher concentrations, it can cause irritation, burns and cause harm to people.
State officials reported that existing controls would have likely prevented contaminated water from reaching the public. However, people are concerned about the ease with which the hacker was able to gain remote access.
The infiltrator quickly accessed the systems controlling chemical levels and began to make changes. Both the person’s awareness of the system and their actions demonstrate a malicious intent that should concern everyone who oversees critical infrastructure.
For more information, federal agencies have released a report entitled, “Compromise of U.S. water treatment facility” that summarizes the incident.
Though many security recommendations have been made such as updating passwords, setting tighter access requirements and updating operating systems, these steps are good standard network hygiene. However, this does not solve the critical network security issues. Implementing a network based on Zero Trust can address these issues.
Zero Trust requires that you must first verify that every node on the system is trustworthy before moving between endpoints. This is the most effective way of eliminating data breach and securing your critical infrastructure. Zero Trust is a proven cybersecurity practice.
“Luckily somebody stopped it beforehand, but what it did was open my eyes that there’s something going on in our state… We might have some more cyberattacks in the future, which really could put people’s lives at risk if we don’t get this under control sooner than later.”
– Nikki Fried, Florida Agriculture Commissioner
“Early information indicates it is possible that a desktop sharing software, such as TeamViewer, may have been used to gain unauthorized access to the system, although this cannot be confirmed at present date.”
– Compromise of U.S. Water Treatment Facility report
“Remote access has been allowed because it allows Plant personnel to access the system while out in the field, and the consultant needs access in order to assist the staff in making programming adjustments/changes quickly, if necessary.”
– Eric Seidel, Mayor, Oldsmar