People are choosing convenience over security, even if it means that people could die as a result. Hacker tried to poison Florida water supply near Super Bowl, police say
Oldsmar is a town in Florida at the very northern tip of Tampa Bay. It is about 15 miles from where the Super Bowl was held. Hackers tried to poison the water supply by increasing the amount of sodium hydroxide in the water from the normal 100 parts per million to 11,100 PPM. They gained access to the controls because supervisors had the system available remotely for convenience. And yes, 11,100 PPM of sodium hydroxide, which is also known as lye and is the principle ingredient in drain cleaner, would be toxic.
At about 1:30 p.m., a hacker accessed the system again, taking control of the mouse and directING it to the software that controls water treatment. The hacker then briefly increased the amount of sodium hydroxide from 100 parts per million to 11,100 parts per million.
An operator noticed the intrusion, and corrected it, and a supervisor disabled remote access.
It doesn't say in the linked article above, but an alert issued by the FBI on this incident references Windows 7, though they don't say that is what is controlling the water treatment plant in Oldsmar, I wouldn't be surprised if it were. It is probably controlling some water treatment plant somewhere.
Steve Gibson, of Security Now dealt with this attack in Episode 805: SCADA Scandal. SCADA is the acronym for Supervisory Control And Data Acquisition. It is a system that controls all manner of industrial processes. My personal opinion is that it should not be exposed to the public internet.
On the subject of SCADA, Steve Gibson notes that allowing that level of control through automation is probably a design oversight. But security is expensive and I'm sure the people in charge of Oldsmar in general, and the water treatment in particular, didn't think they would be a target of an attack. The city is home to about 15,000 people, a short distance from Tampa, Clearwater, and Saint Petersburg. All much larger cities. What could go wrong?
I'll pause our story here to wonder why it's even possible to adjust, through any automation, the amount of lye to a level that's 111 times normal. That seems like a fundamental oversight in the design of the system. Sure, perhaps allow a range of 0% to 200%. But certainly not up to 11,100%. [From SN episode 805 show notes.]
But then as I have said many times, no one does proper systems design anymore, and security is never considered. "What do you mean if an unauthorized person gains access? That would never happen! Oh, and leave the back door open in case I ever need to check on things!"
It is only a matter of time before someone is killed by this "convenience trumps security" insanity. Even today, I am sure that somewhere some bureaucrat is telling some guy from Information Technology that they...
- Don't need to worry about security or two-factor authentication because that is hard, and
- We don't need to upgrade away from Windows 7 because everything is just fine the way it is, and
- You IT folks always want to spend money on something!
The idea that the system is someone accessible by anyone from anywhere is insane and yet all too common. That one can so easily dump toxic levels of chemicals into the water supply with the simple motion of a mouse and a click is beyond insane. And yet it happened. I bet there aren't 100 different water treatment management software apps in use around the US so you can be quite certain that plants in your region are just as vulnerable to such penetrations.
ReplyDeleteSo true, and it isn't just water treatment.
DeleteSCADA is used to control all manner of industrial processes. Power generation, pharmaceutical processes... Anything where you need to measure a voltage or a temperature, or any equipment that can change are reading - like parts per million - into a voltage can be monitored by SCADA. As a "standard" a whole bunch of equipment comes standard - or with options - for SCADA control.
Which would be fine, if it was buried behind decent security and subject to rational constraints. Turning the volume of to 111 is not rational.