At 8 AM on Friday, Feb. 5, someone remotely accessed a computer responsible for controlling the water system in the small city of Oldsmar, Florida. This was not unusual. The computer was configured so that staff at the plant could access it remotely for troubleshooting and configuration.
Because of this, the plant operator who was onsite at the time didn’t see anything unusual about the access attempt. He simply assumed it was his supervisor, and because he didn’t see anything amiss, he put it out of his mind. It wasn’t until later that day that he realized what was happening.
While seated at his desk, he watched someone take control of the mouse, open the city’s water treatment software, and attempt to increase the amount of lye to a toxic level. Fortunately, the operator was able to immediately reverse the change. More fortunately, even if the operator hadn’t noticed it, the chemicals would have taken a day to actually enter the water supply — and they likely would have noticed the sabotage well before that.
“The protocols that we have in place, monitoring protocols, they work — that’s the good news,” Oldsmar Mayor Eric Seidel told The Tampa Bay Times. “Even had they not caught them, there’s redundancies in the system that would have caught the change in the pH level.”
That’s good news. The bad news is that this is neither the first nor the last attack of its kind. As we bring more and more critical infrastructure online, we open the doors to countless bad actors.
And the damage they can cause could be charitably described as catastrophic.
Most cybercriminals are financially-motivated. They want to steal valuable data that they can sell on the dark web, gain access to datasets that allow them to commit some form of fraud, or simply hold businesses for ransom in an effort to make some quick cash. The kind of hacker who would target something like water systems or the power grid is likely interested in one thing.
Consider, for instance, the blackout that hit Ukraine in 2016. Revealed later to have been the work of Russian black hats, it caused a power outage across most of the country’s capital. It took operators only one hour to switch everything back on, leaving people puzzled at Russia’s motivation.
Why go to such lengths to cause what amounted to little more than a minor inconvenience?
It was because the attack was intended to be far more devastating. As reported by Wired Magazine, cybersecurity researchers determined that the malware used by Russia wasn’t supposed to disrupt Ukraine’s power systems, but destroy them. Had they been successful, the blackout wouldn’t have just lasted an hour but instead may have stretched on for weeks or even months.
Perhaps what happened in Oldsmar was simply the result of some bored script kiddie looking to wreak havoc. It seems far likelier, however, that it’s a precursor to something bigger. That someone may be testing the waters for an attack which will prove far more devastating.
If nothing else, this should serve as a warning. If we plan to bring systems like water treatment facilities and power plants online, they need to be made as secure as humanly possible, with multiple redundancies to prevent sabotage. Because if we don’t?
We’re certain you can imagine the potential consequences.