Cyber-attack near super bowl stadium threatens local water supply

12th February 2021


Just two days before one of the largest annual sporting events in the world—the National Football League’s Super Bowl LV on February 7—a cyber-attacker compromised a remote-access program at a water treatment plant in Oldsmar, Florida, in an attempt to poison the town’s water supply.

Pinellas County Sheriff Bob Gualtieri reported that the unidentified attacker hacked into a remote access program called TeamViewer on February 5. TeamViewer allows users to remotely access computers, and was used at the plant to trouble-shoot parts of the plant’s computerized systems. That morning, a plant employee reportedly noticed that his mouse was moving independently, but didn’t think much about it. Later that afternoon, the employee saw the activity again. This time, the remote hacker had commandeered the mouse to increase the level of lye, or sodium hydroxide, being added to the water, raising it from 100 parts per million to 11,100 parts per million. Sodium hydroxide is used in small amounts to help reduce acidity, manage PH levels and remove metals. Sodium hydroxide also is the primary ingredient in liquid drain cleaners. Used at high levels, the chemical can be dangerous, and could have rendered Oldsmar’s water both unpotable and even dangerous to touch.

The plant employee immediately re-adjusted the levels and alerted his supervisor, who then called the police. The FBI and Secret Service also have been called in to investigate.

At a news conference on February 8, Oldsmar City Manager Al Braithwaite said that the remote access program had been disabled, and that the city will look for a replacement. The identity of the attacker remains unknown, as does the origin of the attack.

This is not the first time that cyber-attackers have tried to compromise a water treatment plant or other critical infrastructure. In April 2020, hackers broke into an Israeli water system and tried to modify the water’s chlorine levels. Then, just two months later, in June 2020, attackers hit two additional Israeli water management facilities. One attack was on agricultural water pumps in Galilee, and the second hit water pumps in the central province of Mateh Yehuda.

Other critical infrastructure also has been attacked. In late 2015, a large section of the Ukraine population suffered power cuts following a series of cyber-attacks on three local energy companies. In 2013, a New York dam located about 50 miles north of Manhattan that is integral to regional flood control was attacked. (Fortunately, the attackers never managed to fully access the dam’s systems.)

The United States recognizes that critical infrastructure is a prime target for cyber attackers. On November 16, 2018, President Trump signed into law the Cybersecurity and Infrastructure Security Agency Act of 2018. This landmark legislation elevated the mission of the former National Protection and Programs Directorate (NPPD) within the Department of Homeland Security (DHS) and establishes the Cybersecurity and Infrastructure Agency (CISA). CISA plays a key role in helping critical infrastructure organizations, both private and public, by providing guidance on protecting against cyber attackers.

Remote access control programs such as TeamViewer, which are known as Operational Technology (OT), play a key role in managing and monitoring systems, and are essential to around-the-clock, 365-day-a-year operations. While OT solutions are invaluable in helping to maintain operations, they also create additional vectors for attackers to gain access and compromise systems. To protect against this risk, organizations need to ensure that their cybersecurity programs and supporting controls are routinely tested for both efficiency and effectiveness.

On July 23, 2020, CISA, along with the National Security Agency (NSA), issued updated critical infrastructure recommendations that included limiting or eliminating remote access. The recommendation states:  “Over recent months, cyber actors have demonstrated their continued willingness to conduct malicious cyber activity against critical infrastructure (CI) by exploiting internet-accessible operational technology (OT) assets.” (The full report can be found here:  NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems | CISA)

CISA also issued a warning on April 16, 2020 regarding the vulnerabilities of Virtual Private Networks: NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems | CISA.

The cyber-attack in Florida is likely to focus more attention on the need to protect both industrial control systems and supervisory control and data acquisition (SKADA) systems. Notably, the attack also will elicit more attention from cyber-attackers, who are more aware than ever of the vulnerabilities of these systems.

To help mitigate risk, every technology component within the critical infrastructure ecosystem must by routinely assessed and tested.

The Biden administration’s $1.9 trillion COVID-19 bill calls for $9 billion in federal cybersecurity improvements, which includes $690 million for a CISA project that is designed to improve monitoring and response to cyber incidents across government agencies. The Biden administration also is expected to further protections against cyber-attacks by increasing both scrutiny of, and requirements for, cybersecurity regulatory compliance.

Cybersecurity regulatory compliance and foundational practices are required for a solid program and defense against attackers. HKA’s Cybersecurity Team has significant experience and expertise conducting cybersecurity assessments to identify program gaps and weaknesses, as well as providing remediation and implementation support.

About the Author: 

Michael Corcione has more than 30 years of experience in advising companies and boards of directors on technology, cybersecurity and privacy and risk management strategies. Over the past decade, he has led the delivery of Virtual Chief Information Security Officer (vCISCO) services for advisory firms, which provide a CISO, along with cyber, privacy, and information security subject-matter experts to organizations of all sizes and verticals. Michael currently consults on regulatory enforcement matters, corporate initiatives and risk management related to cyber and information security, as well as privacy. He is currently a member of the cybersecurity advisory board at Pace University, and a member of the Board of Trustees of the American Management Association International.

While OT solutions are invaluable in helping to maintain operations, they also create additional vectors for attackers to gain access and compromise systems.”
Michael Corcione, Partner HKA

This publication presents the views, thoughts or opinions of the author and not necessarily those of HKA. Whilst we take every care to ensure the accuracy of this information at the time of publication, the content is not intended to deal with all aspects of the subject referred to, should not be relied upon and does not constitute advice of any kind. This publication is protected by copyright © 2024 HKA Global Ltd.


Follow HKA on WeChat


HKA WeChat