Hackers Go After Florida's Precious Bodily Fluids
In another sign that we're all living in a cyberpunk novel now, only without all the coolest stuff, a small town in Florida was the target of a cyberattack on Friday in which someone tried to poison the town's water supply by getting into the water utility's computer system. The hacker got into software used for remote monitoring of the water system for the town of Oldsmar, Florida (population about 15,000), then manipulated the level of sodium hydroxide, or lye, increasing it to dangerous levels.
Fortunately a worker at the utility saw the intrusion and immediately reversed the changes before any significant contamination occurred. Oldsmar Mayor Eric Seidel explained at a press conference yesterday that the utility has other safety procedures in place that would have kept water with dangerous amounts of lye from reaching the town's water supply.
Even so, as the New York Times points out, it's the kind of cyberattack on critical infrastructure that has been giving computer security experts the willies for decades. (OK, not exactly how the Times would put it. They'd say it gives experts the Williams.)
So there's a new thing for Florida to worry about: Hacks to your Oldsmar.
Reuters reports the hackers accessed a software system called TeamViewer that allows plant operators to monitor and control the water plant remotely, and began controlling an employee's computer as he watched. The first notice that someone was accessing the computer occurred Friday morning, and the employee thought little of it, because supervisors regularly did that as part of the job. The unauthorized user then returned in the early afternoon and got into control systems that increased the amount of lye, which is normally used in tiny amounts to adjust the acidity of the drinking water, from its normal 100 parts per million to 11,100 parts per million.
Pinellas County Sheriff Bob Gualtieri told Reuters,
The guy was sitting there monitoring the computer as he's supposed to and all of a sudden he sees a window pop up that the computer has been accessed. The next thing you know someone is dragging the mouse and clicking around and opening programs and manipulating the system.
The plant employee immediately returned the sodium hydroxide to normal levels, then alerted a supervisor and called the sheriff's office, so hooray. Seidel and Gaultieri said at the presser that even if the employee hadn't been watching the hack happen, other safeguards would have protected the water supply, because it would have taken more than a day for water to get from the treatment system to the water supply, with multiple monitoring checks along the way.
Gaultieri said he wasn't sure exactly how that high concentration of lye in water would affect humans had it made it into the system, but said you didn't have to be a chemist to know it would be very bad. The Tampa Bay Times noted that "In 2007, the water of a town in Massachusetts was accidentally treated with too much lye, causing burns and skin irritation among people who showered with it," although our own (very cursory) searching didn't find out exactly what concentration of lye was in the water in that incident.
Sen. Marco Rubio (R-Florida) took to the Twitters to say the incident "should be treated as a matter of national security," and then today was back to his usual fare, complaining that Democrats were very bad people for not making coronavirus variants go away instead of holding Donald Trump accountable by impeaching him.
Rubio is at least right about the national security thing; as the New York Times details, cybersecurity experts have long worried about attacks on small critical infrastructure systems, since they're less likely to have the kind of robust security large companies and governments use (not that those are foolproof, either).
"These are the targets we worry about," said Eric Chien, a security researcher at Symantec. "This is a small municipality that is likely small-budgeted and under-resourced, which purposely set up remote access so employees and outside contractors can remote in."
That, Mr. Chien said, makes them a ripe target.
Another computer security boffin consulted by the Times (we're not copying his 15-word title), Daniel Kappellman Zafra, said his firm has seen lots of probes and hacks of such systems
by novices "seeking to access and learn about remotely accessible industrial systems."
"Many of the victims appear to have been selected arbitrarily," he said, "such as small critical infrastructure asset owners and operators who serve small populations."
So far, happy day, he says none of those attacks has actually resulted in damage to infrastructure.
It could take months for the actual source of the Oldsmar intrusion to be discovered, the Times notes, and it really could be anything from a foreign country's hacking operation to bored teens trying to poison small towns for the lulz. Oldsmar has disabled the remote access functions of TeamViewer while officials investigate what exactly went wrong. The FBI and Secret Service have also been contacted by the municipality, which has also warned other Florida communities to beef up their security.
Seems like the sort of thing we should be paying attention to, just maybe.
In the meantime, I really don't like the way my microwave is looking at me.
Yr Wonkette is funded entirely by reader donations. Please help if you can with a monthly $5 to $10 donation, and we'll put in a good word for you with Alexa.
Doktor Zoom's real name is Marty Kelley, and he lives in the wilds of Boise, Idaho. He is not a medical doctor, but does have a real PhD in Rhetoric. You should definitely donate some money to this little mommyblog where he has finally found acceptance and cat pictures. He is on maternity leave until 2033. Here is his Twitter, also. His quest to avoid prolixity is not going so great.