Twosense Blog

Remote hackers attempt to poison Florida city after breaching water treatment facility

Written by Twosense | Feb 10, 2021 5:00:00 AM
  • A hacker gained access to the water treatment system for the city of Oldsmar, Florida, through TeamViewer, a remote desktop software, and attempted to increase the chemical levels, to extremely dangerous levels.
  • Reports say that this wasn’t a sophisticated attack and that these incidents involving less skilled actors trying to access industrial control systems have increased since last year. Remote access software greatly increases the attack surface.
  • For a more sophisticated attacker the 3 to 5 minutes of unauthorized access could’ve led to some significant org. Organizations moving towards Zero Trust need to incorporate continuous authentication.

An attacker gained access to a water treatment system in Oldsmar, Florida, and attempted to poison the water plant by increasing the concentration of sodium hydroxide (NaOH) to extremely dangerous levels. The attacker gained access through TeamViewer, a remote desktop software, that allows authorized users to troubleshoot system problems remotely. They were reported to have spent between three and five minutes inside the system changing the NaOH level from 100 parts per million to 11,100 parts per million. Luckily a plant operator was present at the time and noticed that someone took control of the mouse and was using it to make changes and cutoff remote access.

While the water treatment system is set up with redundancies that would have sounded an alarm if the water’s chemical levels became too dangerous, this is not the first attack (nor will it be the last) on water treatment facilities. According to reports, this was not a sophisticated attack and the number of incidents involving less skilled actors trying to access industrial control systems remotely have increased since last year. Remote access, while especially convenient for teams working from home, greatly increases the attack surface of an organization.

Although the attack this time was mitigated, a more sophisticated attacker may have caused a lot more damage. The 3 to 5 minutes of unauthorized access within a system is dangerous enough and was only detected because a plant operator was present at the time and witnessed the attack in real time. A sophisticated attacker could’ve easily launched a more stealthy attack and waited for an opportune time to do something significantly more dangerous. While remote access software is typically protected by something like a VPN or MFA, if bypassed there is no way to tell if an unauthorized user is accessing systems. This is why organizations that are moving towards Zero Trust Architecture, need to incorporate continuous authentication. With continuous authentication, an unauthorized user would’ve been detected and prevented from getting unauthorized access and causing further harm.

Twosense provides continuous authentication that is able to catch over 95% of users within seconds. If you’re interested in seeing how you can incorporate continuous authentication into your organization, reach out to Twosense today.