Hacker tries to poison Florida

How secure are your control systems?

It must have been alarming.  A control engineer watched his screen as someone increased the amount of sodium hydroxide from 100 parts per million to 11,300.  He’d seen someone access the system in the morning and assumed it was his boss, logged in remotely.  But it became clear it was not.  He reduced the level back to normal and no harm was done.

Sodium hydroxide – also known as lye or caustic soda – is used to control water acidity and to help remove heavy metals from water.

The Oldsmar plant in Florida where the attack happened provides water to businesses and about 15,000 residents.  The James W. Jardine water treatment plant serves 5.5 million people in Chicago and surrounding suburbs.

The attack vector is understood to have been TeamViewer, a piece of software that gives remote access to computers, usually to enable them to be supported at a distance.

It’s worth noting that SCADA systems are typically used for the control of industrial processes such as water treatment.  It’s a highly fragmented market which was born in the 1960s, long before the world became fully connected and bad actors included hackers.

As a provider of control solutions for the water distribution network, part of critical national infrastructure, i2O is very conscious of the need for security.  It was the first such provider to attain ISO27001 certification, the gold standard for information security.  Our control solutions are protected by Multi-Factor Authentication.  We even security screen our own employees, whether they write the systems, build hardware, or provide technical support to clients.  We worry so you don’t have to.

Image by Hari vinayak Santhosh; used, unedited, under the Creative Commons Attribution-Share Alike 4.0 International license.