Skip to main content
close search
site logo
Dive Brief

Security flaws enabled Florida city water utility hack

Published Feb. 9, 2021 Updated Feb. 12, 2021
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Cal Dellinger

UPDATE: Feb. 12, 2021: Hackers gained remote access to the Oldsmar, Florida water plant's supervisory control and data acquisition (SCADA) system via the TeamViewer software, according to an advisory from authorities in Massachusetts. The SCADA system was connected throughout the water plant's computers, which were all using the same password for remote access.

The computers were running the outdated Windows 7 operating system, which "will become more susceptible to exploitation due to lack of security updates and the discovery of new vulnerabilities," the Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory Thursday. Microsoft discontinued support for the OS in January 2020

The water plant's computers were also connected openly, without a firewall, to the internet, according to Massachusetts authorities. 

CISA advises water and wastewater systems to install cyber-physical safety system controls, including gearing on valves and pressure switches. The controls protect smaller water plants with insufficient cybersecurity resources "from a worst-case scenario" for accessing systems.

Oldsmar representatives did not respond in time to Cybersecurity Dive's request for comment. 

Dive Brief:

  • The City of Oldsmar, just outside of Tampa, Florida, was targeted by a cyberattack in its water treatment plant on Friday, said Sheriff Bob Gualtieri in a press conference Monday. A criminal investigation with the FBI and Secret Service is underway. 
  • A plant operator noticed remote activity on the TeamViewer software around 8 a.m. Friday. The software allows for remote access for troubleshooting, and the operator assumed the actions were by a supervisor, said Gualtieri. It wasn't until the afternoon the unauthorized actor began opening functions pertaining to water treatment. 
  • The actor accessed the function controlling the levels of sodium hydroxide in the water, altering the amount from 100 parts per million to 11,100 parts per million, overreaching safe levels for consumption. The plant operator watching the activity reverted the levels back immediately.  "The public was never in danger," said Gualtieri.

Dive Insight:

The Oldsmar attack wasn't a sophisticated, undetectable hack as the operator followed the remote actor's mouse travel across the computer screen. However, had an operator not been there to follow along the activity, the breach might have been missed. 

"This is somebody that is trying — as it appears on the surface — to do something bad. It's a bad actor," said Gualtieri. "This type of hacking of critical infrastructure is not necessarily limited to just water supply systems." 

Most threats to operational technology and industrial control systems (ICS) are outdated software and limited patches. Vulnerable ICS can come with decades-old equipment. 

In the second half of 2020, industrial cybersecurity company Claroty found a 25% increase in disclosed ICS vulnerabilities from 2019. It was a 33% increase just from H1. Of the 449 disclosed vulnerabilities across 59 vendors, 70% were considered high or critical Common Vulnerability Scoring System (CVSS) scores. More than three-quarters of the vulnerabilities didn't need authentication to be exploited. 

Over the years, the barrier between IT and OT was purposely fractured for ease of use, leading to malicious activity. Stuxnet was one of the first examples of malicious activity worming its way into an uranium enrichment facility in 2010. In 2013, foreign adversaries breached a dam outside New York City. 

When cyberattacks escalate to the potential of bodily harm, it raises the question of how far can cyberthreats reach before it violates international laws. 

"Someone tried to hurt (potentially kill) people through a cyberattack. That’s a big deal. All the other details are important to discuss and debate but we can’t lose the bigger picture," tweeted Dragos CEO Robert Lee.  

Sodium hydroxide is the primary ingredient in liquid drain cleaners, according to Gualtieri. The additional amount of the substance would've taken between 24 and 36 hours before reaching the water supply and reaching safety redundancies and pH alarms.  

Critical infrastructure in the energy, manufacturing, and water and wastewater industries are most at risk of exploitation, Claroty found. In H2 of 2020, the water and wastewater sectors accounted for 111 vulnerabilities found in The National Vulnerability Database (NVD) and in vulnerability advisories published by the Industrial Control System Cyber Emergency Response Team (ICS-CERT). In 2019, there were 72 disclosed vulnerabilities in the sector. 

The Oldsmar treatment plant has since disabled the program and will "make some upgrades to other parts of the system" to prevent similar activity, said City Manager Al Braithwaite, during the press conference.

Recommended Reading

Filed Under: Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Cyberattacks
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell