Cybercriminals came close to poisoning the water supply in a Florida city in a remote attack on a water treatment facility, which serves around 15,000 people.
The attackers were able to infiltrate the plant’s systems in Oldsmar and attempted to increase the levels of sodium hydroxide (lye) to potentially dangerous levels.
Sodium hydroxide is used in small amounts during water treatment to control acidity. It is also commonly found in liquid drain cleaners. Around 10 grams of the chemical can be fatal to humans.
Florida County Sheriff Bob Gualtieri said that a computer controlling the water treatment systems was breached twice on February 5th. The first access attempt was noticed in the morning by a plant operator, who assumed it was their supervisor accessing the system.
A second attempt was made in the early afternoon, which saw the attack increase the sodium hydroxide content in the water from 100 parts per million to 11,100 ppm.
The attack took place on a password-protected control panel that was accessed using popular remote control software TeamViewer.
The changes were caught and reversed by an operator, who was also working remotely.
DIGIT’S 2021 #virtualevents calendar:
📅 #MarTech Summit https://t.co/JkViHnOzbF Wed 24 Feb
📅 ScotSecure #CyberSecurity Summit https://t.co/JaD886wGh9 24/ 25 Mar
📅 #DigitalEnergy Summit https://t.co/thGSfrBqlM 22 Apr
📅 DIGIT #Leader Summit https://t.co/alC1xjRvtW 26 May pic.twitter.com/XXGqh5Braw
— DIGIT (@digitfyi) January 18, 2021
“At no time was there a significant adverse effect on the water being treated. Importantly, the public was never in danger,” Gualtieri said. He noted that the water would not have entered the system for over a day.
At present, it is unknown who the perpetrator or perpetrators are, or whether they were based inside or outside the US. No arrests have been made.
- MarTech 2021 Virtual Summit | Two weeks to go!
- CD Projekt Red will ‘not give in to demands’ after ransomware attack
- BT Group adds £1.2 billion to the scottish economy, report finds
As of yet, there has never been a recorded case of a ‘cyber-murder’ – a cyberattack made with no other purpose than to kill another human being. September 2020 recorded the first cyberattack-related death, when hackers attacked a Düsseldorf hospital with a ransomware attack. With the hospital locked up, an ambulance carrying a critically ill woman was diverted to another hospital 20 miles away and died from treatment delays.
One of the first cyberattacks that directly targeted human lives instead of money was a 2018 attack on a Saudi petrochemical plant. Cyber attackers were able to gain physical access to the facility and ran malicious code that could have caused an explosion at the facility had the attack not been discovered in time.
However, investigators consider that the Saudi attack has all the hallmarks of a state-backed attack, largely aiming to damage the Saudi economy. While the exact nature of the attacker is still unknown, it still serves as a warning that a successful cyberattack targeting human life may only be a matter of time