On Friday, February 5th, malicious actors hacked into the city of Oldsmar’s water treatment facility. These people tried to infect the water supply with lye (sodium hydroxide) by increasing the levels of the chemical by more than 100 times its usual amount. Though this thankfully was an attack which did not poison anyone, it is an event that exposed thousands of residents to the potential of being poisoned and highlighted a major flaw in the cyber protection of public systems.
The individual who monitors the water treatment facility witnessed the hacker access the system remotely in real time. This is how the incident was able to be addressed so quickly and none of the public affected. According to the Pinellas County Sheriff Bob Gualtieri, there was no time where a significant adverse change was made to the city’s water supply, and the public was never in danger.
The Oldsmar water treatment facility was very lucky to have their operator paying attention to the systems at the times of the incidents. However, there were many cybersecurity vulnerabilities that lead to this operator having to step in and fix the attack, rather than it having been prevented in the first place.
The hackers got into the system twice by making their entry through a dormant software called TeamViewer, which was still on the water treatment facility’s systems despite not having been used in over six months. The German-owned company TeamViewer said that the attack was not due to a flaw or vulnerability on their end, but the Oldsmar assistant city manager, Felicia Donnelly, stated that access to the software required a password — so how the attacker gained access to TeamViewer in order to use it as a tool is not necessarily clear. However, because the software was not being used, it was not being monitored and was left as a vulnerable doorway for such an attack to occur.
The water treatment facility reportedly was utilizing Windows 7 operating system at the time of the attack, which has become outdated due to numerous updated systems created by Windows since that iteration. Additionally, the facility uses Google Chrome for remote access activities; because this is such a common site for these purposes, it is an easy target for hackers. Though these outdated systems are not what is believed to be the reason for this particular attack, they indicate that cybersecurity at this location needs to be revisited as it is not a priority.
This type of cybersecurity threat is obviously above and beyond hacking in the typical sense as it has real life implications which could have had fatal implications. Unfortunately, many public systems have similar vulnerabilities which mirror the security flaws of this Florida water treatment facility and could also have detrimental, real-life repercussions. It is important for these entities to invest in cybersecurity so that potential, very real threats never even come close to occurring.