Florida Water Utility Hack Highlights Risks to Critical Infrastructure

Florida Water Utility Hack Highlights Risks to Critical Infrastructure
The intrusion also shows how redundancy and detection can minimize damage and reduce impact to the population.

For a few minutes on Friday, an operator at the Water Division for the town on Oldsmar, Florida, watched as the cursor on his computer moved across the screen, opening windows and clicking buttons. 


He at first assumed that another technician for the water treatment plant had taken control of the software remotely. But when the remote user raised the level of a caustic chemical known as sodium hydroxide—often referred to as lye—by a factor of 111, the operator realized that an intruder had compromised the system. He quickly reversed the changes and then alerted authorities, local officials said during a press conference on Monday.


Most likely, redundant checks on chemical composition of water exiting the system would have caught the changes, but it should not get to that point: utilities need to raise their cyber resilience, says Austin Berglas, former head of cyber for the FBI's New York office and currently the global head of professional services at cybersecurity firm BlueVoyant. The actors were unsophisticated—they likely used stolen credentials to log into the remote access software, TeamViewer—and the operator happened to witness the attack. Next time, it may not be that easy.


"An attack using TeamViewer and other remote access tools is not a sophisticated attack—this was probably stolen credentials," he says. "You don't need an A-game or zero-day tools for this type of attack. If that is going to be the norm for an organization to be so susceptible to attack that someone to take control and add a poisonous chemical into a water supply, that is a problem."


The florida water utility highlights risks critical infrastructure