[German]A nightmare of hackers using the Internet to manipulate a city's water supply and make drinking water undrinkable or even poison it has come true again in the United States. A hacking operation in which an intruder spent minutes opening valves at the water treatment plant to increase the concentration of sodium hydroxide in the water just became public.
Advertising
On Monday, Pinellas County, Florida officials disclosed the incident in which an unidentified hacker remotely gained access to the City of Oldsmar's water treatment system control system (see this video). The intruder managed to change various settings on the control system. Among them was a valve that was opened to dramatically increase the amount of sodium hydroxide in the water supply.
Sodium hydroxide in the water
Sodium hydroxide (NaOH, caustic soda) dissolves very well in water and makes it alkaline – which then becomes sodium hydroxide and is undrinkable. Drain cleaners contain NaOK and caustic soda is used to disinfect tanks and pipes, but in higher concentrations it causes longer term damage to plant components such as pipes. If I have understood correctly, NaOH is also used to raise the PH value of water. It can also be used to bind heavy metals.
Hacker accessed the control system
During a press conference, Pinellas County Sheriff Bob Gualtieri said a plant operator saw the change and quickly reversed it. But the hacking attack posed a serious threat to the city's water supply. According to Gualtieri, the hacker changed the sodium hydroxide concentration dosage from about one hundred parts per million to 11,100 parts per million. This was attempted not once, but twice.
The site vice reports here, that the operator became aware of the change and probably reversed it twice. I assumed that these changes triggered an alarm in the control system, which alerted the operator. However, Bleeping Computer reports here that a plant operator saw someone take control of the mouse and use it to make changes to the valve settings.
The intruder spent between three and five minutes in the system changing the sodium hydroxide level. Since the plant operators were aware of this, the change was immediately reversed. In this context, it is unclear to me why the control of the valves in question could be accessed via the Internet, given that the water supply is part of the critical infrastructure (but see the last paragraph).
Advertising
The operators assured that the population of Oldsmar had not been endangered at any time, but they have now woken up and switched off remote access to the plant. So some learning has already taken place. And my suspicion that the PH value of the water is monitored and an alarm is triggered if tolerances are exceeded has also been confirmed. Eric Seidel, the city's mayor, said Oldsmar's water treatment system is set up with redundancies that would have triggered an alarm if the water's chemical levels reached dangerous levels.
The nasty secret: Teamviewer makes "hacking" easy
However, it doesn't seem to have been a really sophisticated hacking, but once again an example for bankruptcies, bad luck and breakdowns, where the responsible persons have nothing under control. There is some interesting information about this: Felicia Donnelly, the deputy city manager in Oldsmar, Florida, wrote in an email to Motherboard that the system the hacker accessed required a password to be remotely controlled, of course. But then information leaked to the public via Reuters that the remote access was via TeamViewer. Jessica Mackesy of the Pinellas County Sheriff's Office confirmed to Motherboard in an email when asked that TeamViewer was used as the remote access software. It appears that the hacker was able to access the control system's computers via TeamViewer.
Advertising