SINGAPORE – It was 8am on Feb 5, 2021 when a plant operator at a Florida water-treatment facility noticed that someone from a different location had tried to access the computer system he was monitoring.
This happened very briefly and he did not think much about it, as his supervisor and others sometimes accessed his computer remotely to check on the system at various times of the day. Remote access and control software TeamViewer had been installed to enable this.
The system controls operations at the Bruce T. Haddock Water Treatment Plant in Oldsmar town.
Nothing happened after that, until at about 1.30pm when a window popped up on his computer, alerting him that it was being accessed.
Then, he saw the mouse cursor on the computer screen moving on its own.
Someone had taken over control and was trying to open various software functions that oversee water treatment. This went on for three to five minutes.
The last thing the hacker did before exiting the system was to increase the concentration of sodium hydroxide, or lye, in the drinking water to levels potentially dangerous to Oldsmar’s 15,000 residents. The concentration was raised from the original 100 parts per million setting to 11,100 parts per million.
Lye is used in drain cleaners. In treatment plants, it is used to control the acidity of water and remove metals in drinking water.
After the hacker left the system, the plant operator quickly undid what the intruder had done.
The local authorities said they disabled the remote access software and would make upgrades to the system to prevent the incident from recurring.
While a crisis was averted, and an alarm would have sounded if the lye’s high concentration caused the water’s acidity to change too much, the incident highlighted glaring cyber-security weaknesses.
A probe by the United States Federal Bureau of Investigation found that water-plant employees were sharing the same password for the TeamViewer software used to remotely access the plant’s system.
It is believed this shared password was used by the hacker, reported business magazine Forbes.
The plant’s system was also running on an outdated operating system – Windows 7, which Microsoft had, for about a year, stopped supporting and providing security updates.
Another problem: All the computers at the water plant did not have firewall software installed, even though they appeared to be connected to the Internet. Firewalls can help block unauthorised access into computer systems.
These flaws made the system vulnerable for hackers to break in, said cyber-security experts.
To date, the hacker’s identity, location and modus operandi have not been established.
But industrial cyber-security company Dragos said the usernames and passwords of at least 11 employees from Oldsmar had been traded on the Dark Web, the underbelly of the Internet frequented by hackers, NBC News reported.