Unprotected utilities – how an attack on a Florida water plant put lives at risk

A water plant in Oldsmar, Florida was attacked on February 5, 2021. A hacker managed to gain access to a SCADA system and increased the amount of sodium hydroxide (caustic soda) in the drinking water treatment process by a hundredfold (from 100ppm to 11,100ppm) ─ a life-threatening dose.

According to ARS Technica, the plant did not have a firewall, used a version of Windows for which support had expired (Windows 7), and had employees who shared the same “Team Viewer” password. The control equipment was connected directly to the Internet without any protection mechanisms.

With tools like Team Viewer, full control is possible from a remote location, and remote access is often secured with a basic password only. Other plants sometimes have simple websites on which devices can be controlled without any access data whatsoever.

According to the cybersecurity firm Fire Eye, attacks on water plants have increased in the past year. These are usually carried out by beginner hackers with the aid of the Shodan search engine. But hackers also include countries, cyber criminals, and disgruntled (former) employees.

Christopher Krebs, a well-known cybersecurity journalist, is of the opinion that these types of attacks are seldom made public and that the number of unreported cases is accordingly high.

Simple security precautions and basic training programs could have reduced attacks of this sort, as could have measures such as the securing of remote access through stronger password protection, network splitting, update implementation, and efforts to ensure that personnel are aware of cybersecurity-related dangers in their IT environment.

Breached water plant employees used the same TeamViewer password and no firewall – arstechnica
Hack exposes vulnerability of cash-strapped US water plants – apnews
What’s most interesting about the Florida water system hack? That we heard about it at all. – krebsonsecurity
Attack against Florida Water Treatment Facility – schneier

Is cybersecurity a topic of interest for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us (mail us) or use our  to learn more about your cyber risk profile.

Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.