Unauthorized access to the water supply had almost fatal consequences: hackers increased the proportion of caustic soda in the water a hundredfold. The attack shows the danger posed by the digitized infrastructure.
It sounds like a scene from a spy film: an external attacker gains access to the water supply and increases the proportion of a chemical in the drinking water. And what makes it so toxic to humans. But that is exactly what has happened in Pinellas County, Florida. The attack, discovered in time, represents an enormous danger.
On Friday, an employee at a water treatment plant in Oldsmar, near Tampa, noticed something was wrong. Someone had logged into his computer from an external computer, a warning was given by a window popping up. Because nothing more had happened, the clerk apparently thought nothing of it. But a few hours later the message reappeared. And it got a lot worse. “Suddenly someone moved the mouse, clicked around, opened programs and manipulated the system,” said Sheriff Bob Gualtieri at a press conference on Monday. Then the attacker went even further: he increased the proportion of caustic soda in the water. And thus made it dangerous for humans.
100 times the amount of lye
The increase was alarmingly high: if one milliliter of caustic soda to 10 liters was added to the water in the system to keep it clean, the hacker set the proportion up to 111 milliliters. The compound, which is toxic in large quantities, suddenly made up one percent of drinking water. “It’s dangerous,” the sheriff clarified. Fortunately, the change was immediately apparent. After the hacker left the system, the employee lowered the percentage back to normal.
The fact that the hacker even had access to the system was due to legitimate software. The TeamViewer program allows the screen contents of another computer to be displayed on a remote device and also to take control. It was used in the water treatment plant to allow authorized employees remote access to the system. How the attacker managed to bypass the password protection is now just as much a subject of the investigation as the question of who exactly is behind the manipulation. As a precautionary measure, remote access was first turned off, the city said.
Oldsmar apparently got off lightly. Sheriff Gualtieri explained that the amount of water dispensed with an actually increased proportion of lye was minimal. The city with its 15,000 inhabitants could have threatened terrible things if it had been discovered later. The lethal dose of caustic soda is given as 20 milliliters of a 15 percent caustic solution. With a few hundred milliliters of water, this amount would also have been absorbed through the drinking water. However, the attack did not have to be detected for at least 36 hours before the contaminated water had reached households, Gualtieri clarified. Nonetheless, the FBI and the Secret Service are now also concerned about the case.
Infrastructure as a goal
The attack that was prevented is an impressive reminder of the dangers of digitization efforts in the infrastructure. Not only in the USA is an ever larger part of the general interest networked and processed via computers connected to the Internet. That makes them vulnerable. The last few years have shown that these are not purely theoretical dangers. There were repeated test runs to check the US power supply for weak points. The attacks are generally attributed to Russia. But the US is also targeting the power supply of its eternal competitor. “Software bombs” were placed in Russia’s power grids, according to insiders at the Pentagon in 2019.
The infrastructure of hostile states has been a popular target in armed conflicts for thousands of years. The difference to the past is that today soldiers or bombs are no longer necessary to cut off the electricity or water supply to the enemy in the event of a conflict. Instead, it is theoretically sufficient to use malware to bring the relevant systems under your own control.
It is difficult to completely renounce the digitization of the infrastructure. However, with precautionary measures, such as decoupling the critical areas from the network, the risk can be considerably reduced. A remote solution like Teamviewer is actually out of the question in such a sensitive environment. Sheriff Gualtieri is also certain: “That should be a wake-up call for us.”