Cyber criminals have attempted to poison a city’s water supply in the United States.
The attempt sharply highlights how critically important robust cybersecurity is to avoid exposure to hackers.
Someone gained access to a computer at the water facility which supplies Oldsmar City in Pinellas County, Florida.
By altering the facility’s remote-control software, TeamViewer, they increased levels of sodium hydroxide which potentially made the water highly toxic to drink. Swallowing it could cause damage to the mouth, throat and stomach and induce vomiting, nausea and diarrhoea.
It’s not known what security was in place to prevent unauthorized users from gaining access to the critical system. Oldsmar’s Sheriff, Bob Gualtieri, said there were fail-safes and alarms in place to prevent poisoned water from reaching residents. So, he claimed that the actual risk to 15,000 residents was low.
Oldsmar’s remote-controlled water supply is like a lot of small towns in America, where much of the facilities are under-resourced and underfunded. A TeamViewer subscription is much cheaper than a person’s salary and the need to cut costs during the pandemic has meant that few local authorities will be tempted to remove remote control systems from water supplies.
This isn’t the first time it has happened. In 2016, a security report from Verizon detailed a similar attack on an unnamed US water facility. And in 2020 there were multiple unsuccessful hacks on Israeli water supplies.
A cybersecurity advisory by the Massachusetts state government has revealed key details about the security levels at Oldsmar.
The advisory was posted to help local water suppliers in Massachusetts guard against similar attacks. It stated that several computers in the plant shared the same password for remote access. In addition, the computers were connected to the internet without firewall protection and used the 32-bit version of the Windows 7 operating system.
The FBI also issued a private industry notification offering their latest findings and made similar reference to poor password security.
At a House of Representatives Homeland Security Committee meeting, former Cybersecurity, and Infrastructure Security Agency (CISA) director, Christopher Krebs, was asked about the significance of the Oldsmar attack. He said the circumstances were likely to be “the rule rather the exception” because such municipal utilities do not have sufficient resources to budget for robust security programmes.
He said it was possible the attack was by an insider but it’s also possible it was a foreign actor.
He made multiple suggestions for state and federal government in their response to the attempted water poisoning, including more federal funding for municipal security programmes and more training for employees.
Gary Jowett, from Computer & Network Consultants (CNC) in Brighton, said: “Water contamination can happen anywhere. In fact, there have been several instances in recent decades that occurred in the UK. But the incident in Florida involved a malicious cyber-attack. And while the software used may be totally safe when used properly, if the appropriate procedures and safety measures aren’t followed it turns from being a benign helper to a monster. The incident spotlights a wider problem which affects organisations everywhere that have not prioritised investment in the latest operating systems and security. And once again it also highlights the danger of sharing passwords and having a generally lax attitude to security.”