Hackers successfully infiltrated the computer system controlling a water treatment facility in the U.S. state of Florida and remotely changed a setting that drastically altered the levels of sodium hydroxide (NaOH) in the water.
During a press conference held yesterday, Pinellas County Sheriff Bob Gualtieri said an operator managed to catch the manipulation in real-time and restored the concentration levels to undo the damage.
"At no time was there a significant effect on the water being treated, and more importantly the public was never in danger," Sheriff Gualtieri said in a statement.
The water treatment facility, which is located in the city of Oldsmar and serves about 15,000 residents, is said to have been breached for approximately 3 to 5 minutes by unknown suspects on February 5, with the remote access occurring twice at 8:00 a.m. and 1:30 p.m.
The attacker briefly increased the amount of sodium hydroxide from 100 parts-per-million to 11,100 parts-per-million using a system that allows for remote access via TeamViewer, a tool that lets users monitor and troubleshoot any system problems from other locations.
"At 1:30 p.m., a plant operator witnessed a second remote access user opening various functions in the system that control the amount of sodium hydroxide in the water," the officials said.
Sodium hydroxide, also known as lye, is a corrosive compound used in small amounts to control the acidity of water. In high and undiluted concentrations, it can be toxic and can cause irritation to the skin and eyes.
It is not immediately known if the hack was done from within the U.S. or outside the country. Detectives with the Digital Forensics Unit said an investigation into the incident is ongoing.
Although an early intervention averted more serious consequences, the sabotage attempt highlights the exposure of critical infrastructure facilities and industrial control systems to cyberattacks.
The fact that the attacker leveraged TeamViewer to take over the system underscores the need for securing access with multi-factor authentication and preventing such systems from being externally accessible.
"Manually identify software installed on hosts, particularly those critical to the industrial environment such as operator workstations — such as TeamViewer or VNC," said Dragos researcher Ben Miller. "Accessing this on a host-by-host basis may not be practical but it is comprehensive."
"Remote access requirements should be determined, including what IP addresses, what communication types, and what processes can be monitored. All others should be disabled by default. Remote access including process control should be limited as much as possible."