Earlier this month, a water treatment plant in Oldsmar, Florida experienced a cyber breach that threatened the lives of thousands of residents. A program that was designed to help the water treatment operators with treatment systems provided a point of entry for a hacker. The program gave full, remote access and allowed the hacker access to the software that controls water treatment.
This access gave the hacker the ability to then increase the water’s level of sodium hydroxide, also known as lye, which is used in many household drain cleaners to aid in dissolving hair and grease. According to Pinellas County Sheriff, Bob Gualtierihe, the hacker had raised the level of lye from 100 parts per million to 11,100 parts per million. So you know the severity of this breach, the chemical is used in small amounts to control the acidity of water, but ingesting large amounts of lye will burn the esophagus and can even cause death.
Fortunately, the city’s water supply was ultimately unaffected. An operator on duty immediately caught the changes and reversed them. City officials highlighted that several other safeguards are in place to prevent an instance of contaminated water entering the main water supply. and said they’ve since disabled the remote-access system used in the attack.
While this particular instance avoided tragedy, it raises valid concerns about the protection of our infrastructure of which our nation relies on and the risks of internet-connected controls. Disruptions to services such as water supply extend beyond inconveniences and can spell disaster for those affected. We rightfully expect these organizations to have a thorough risk management plan in effect, mitigating vulnerabilities, costs, and possible catastrophic events.
A positive we pull from this experience is that having the proper policies and protocols in place is effective and can be the difference between a failed attack and disaster. Mayor Eric Seidel stated that there are redundancies in the system that would have caught the change in the pH level, even if the monitoring protocols had failed. While your organization can’t always have a 100% impenetrable defense, having multiple layers of security is vital for this exact reason.
Make sure you’re protected by performing all the necessary assessments and implementing the required policies and controls. RiskWatch software enables you to reduce exposure to liability, manage risk, monitor and maintain cybersecurity, and track continuous improvement. Sign up for a free account today so you can see firsthand how to improve your program. We allow 3 free assessments on your account and provide free content libraries, such as to assess your cyber risk.
