A water treatment facility in Oldsmar, Florida had their SCADA systems breached by an unidentified hacker. The hacker attempted to modify chemical levels to effectively poison the local water supply. The hacker’s intrusion was swiftly detected and contained resulting in no tainted water being delivered to the local populous.
Technical Detail & Additional Information
WHAT IS THE THREAT?
On Friday, February 5th, 2021, an unidentified hacker gained access to a SCADA system device in the Oldsmar, FL water treatment facility and attempted to manipulate chemical levels in the water. Per ongoing investigations, the threat actor gained initial access via TeamViewer, a popular remote desktop application, at 8:00 am in the morning and returned for 5 minutes at 1:30 pm on the same day. It is reported that the malicious actions were taken during the second intrusion where the threat actor changed the chemical levels for sodium hydroxide from 100 parts per million to 11,100 parts per million. The changes were detected by the employee monitoring the compromised system and were reverted immediately after the malicious changes were made and the hacker disconnected. Currently, the Secret Service and FBI are assisting in the investigation.
Sodium hydroxide, commonly known as lye and used in liquid drain cleaners, is used to reduce the acidity and remove metals from drinking water. While small amounts are acceptable for consumption, excess amounts can be dangerous to humans.
WHY IS IT NOTEWORTHY?
The hacking of the Oldsmar Water Treatment facility is not the first of its kind and is the second incident within the United States. A similar incident occurred at an undisclosed water treatment plant in the US back in 2015-2016, where random changes were made to the system. More recently in 2020, the Israeli government reported attacks on their water infrastructure as well, citing Iran for the attacks. Additionally, many security firms such as Tenable, BlueVoyant, Claroty, FireEye, the FBI, and DHS all recognize that SCADA systems, especially water treatment facilities, are among the most vulnerable critical infrastructure due to outdated technology and low budgets. Lastly, another noteworthy factor of this attack is the date and vicinity of its occurrence. The attack took place in Oldsmar County on February 5th, located near the Tampa Urban Center and two days before the 55th Super Bowl took place nearby. The influx of sports fans and the grandiose event of the Super Bowl would have made a successful attack even more disastrous. This timing reiterates that circumstance can also be a large factor of any type of malicious action.
WHAT IS THE EXPOSURE OR RISK?
The TeamViewer website currently advertises more than 2.5 billion downloads of its software. While there is no root cause of entry, TeamViewer has stated that there is no indication that their software has been compromised. Companies that utilize remote connection services to secure/critical infrastructure are potentially at risk, especially institutions that house or maintain SCADA systems.
WHAT ARE THE RECOMMENDATIONS?
Current recommendations to ensure no unauthorized access occurs in an environment are:
- Ensure proper authentication, access, and auditing methods are followed to properly authorize and secure remote and local users’ logins and sessions.
- Utilize Multi-Factor authentication wherever possible.
- Follow good password hygiene for users.
- Systematically run vulnerability and penetration tests to be aware of, and patch, any potential vulnerabilities on a network.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.