The hacker of a Florida city’s water treatment plant and attempt to remotely contaminate the supply with a caustic chemical could have been a disgruntled employee or a nation-state, experts said, but outdated software and remote access controls underscored the need for security investments in critical infrastructure.
The Pinellas County Sheriff’s Office said it was notified on Feb. 5 of computer software intrusions at 8 a.m. and 1:30 p.m. at the City of Oldsmar’s water treatment plant. The system “allows for remote access by authorized users to troubleshoot any system problems from other locations,” the sheriff’s office said.
The first intrusion of the day “was brief and not cause for concern due to supervisors regularly accessing the system remotely to monitor the system,” the sheriff’s office said. At 1:30 p.m., a plant operator “witnessed a second remote access user opening various functions in the system that control the amount of sodium hydroxide in the water.”
“The operator noted the remote access user raised the levels of sodium hydroxide in the water. The operator immediately reduced the levels to their appropriate amount,” the sheriff’s office said. “The initial investigation revealed that the hacker remotely accessed the treatment plant’s computer for approximately 3 to 5 minutes.”
“At no time was there a significant effect on the water being treated, and more importantly the public was never in danger,” Sheriff Bob Gualtieri said.
A Massachusetts Department of Environmental Protection advisory to public water suppliers said access to the supervisory control and data acquisition (SCADA) system was accomplished via remote access software TeamViewer. “All computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system,” the advisory said. “Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.”
The sheriff said TeamViewer had not been used in about six months but had not been removed from the system. And Microsoft stopped offering support for Windows 7, a 2009 release, a year ago.
At a Wednesday House Homeland Security Committee hearing on cyber threats, Chris Krebs, former director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, said in cases such as this “there is the potential for insider threat.”
“I think it’s possible that this was an insider or a disgruntled employee. It’s also possible that it was a foreign actor. This is why we do investigations,” Krebs said. “But we should not immediately jump to a conclusion that it is a sophisticated foreign adversary. The nature of the technology deployment in Florida is frankly not — certainly not — where anybody, I think, any information security or operational technology security…