What pops in your mind when you hear the term ‘hacker’? Years of corny representations in pop culture probably conjure up the image of a sweaty, obese man giggling to himself in his parent’s basement. Recently, the proliferation of state-sponsored hacker groups may have shifted this view somewhat. Still, even the worst breaches, such as the SolarWinds incident disclosed in December 2020, only move the needle of our collective attention span for few days at most. The danger is too abstract to take seriously.
But, what about attacks against critical infrastructure? Does a hacker’s attempt to poison a small Florida town’s water supply transform your conception from goofy punchline to legitimate terrorist? It should.
Oldsmar Florida water supply hack
On February 8, 2021, an unknown hacker or hacker group attacked Oldsmar’s water treatment plant[1]. The culprit took control of the treatment plant’s computer system and briefly increased the amount of lye in the water supply from 100ppm (parts per million) to 11,100. Lye is a corrosive chemical used to balance water’s pH, but it can be very harmful or even deadly in the incorrect ratio. Needless to say, a 100-fold rise in the amount of lye would have meant dire consequences for Oldsmar.
Luckily, a plant worker spotted the intrusion immediately and decreased the lye to normal levels quickly so no tainted water made it into the system. Had the plant operator not been on their game, or if the plant was completely automated, it could have been a disaster. Many smaller water treatment plants throughout the United States do not have constant human supervision, and they’re even less likely to have robust cybersecurity defenses.
Currently, the identity of the malicious agent(s) responsible for the attack is unknown. Both the FBI and Secret Service are investigating the matter[2]. Oldsmar is a town of approximately 15,000 people on the Gulf Coast of Florida, so you wouldn’t think it’s exactly a prime target for nation-state actors. Furthermore, the attack was not very sophisticated[3], pointing toward a more inexperienced perpetrator.
Preliminary analysis shows that the hacker accessed the water plant’s computer system via the remote desktop program, Teamviewer[4]. The system ran Windows 7, an older, outdated operating system that Microsoft has not supported with security patches for over a year. This, combined with poor password policies, led to the dangerous breach.
Not the first incident of cyber terrorism
The Oldsmar hack is very frightening but not the first occurrence of cyber terrorism. Here are a few notable past examples.
Israel water supply attack
Water supply attacks didn’t begin with Oldsmar. In May 2020, Israel implicated Iran in an attack on water treatment plants throughout the country. There is a striking similarity to the Oldsmar situation in that the hack’s goal was to change the proportion of chemicals mixed into the water[5]. So had Israel not noticed and foiled the assault, thousands of people could have been harmed.
The Israel-Iran conflict is way beyond this article’s scope, but know that this cyber incident is just one event in a long game of cat-and-mouse between the two archnemeses. With tactics such as these escalating the conflict, hopefully sanity prevails before a catastrophe happens.
Australia targeted by China
In another geopolitical squabble, in June 2020, Australia reported attacks against a variety of its critical infrastructure[6]. While officially unconfirmed, government officials attributed the attacks to China. Power plants, water networks, transportation grids, and communications grids all fell in the crosshairs.
The prevailing explanation for China’s motivation is that Australia put pressure on the communist nation to let an independent research team investigate the origins of the COVID-19 pandemic. This led to increased tensions, with China placing restrictions on trade with Australia and encouraging its citizens not to visit as tourists[7]. Analysts believe the hacks fell into this category of retaliation.
Ukrainian power grid hijacked
When discussing cyberattacks against infrastructure, you can’t leave out the Ukrainian power grid’s hack in December of 2015. Malicious agents infiltrated deep into the control systems of nearly 60 power Ukrainian substations[8]. It cut the power to 230,000 people in the area for between 1-6 hours. It was the first time a hack of a country’s electrical grid resulted in significant power outages. Cybersecurity experts pinpoint Russia as the offenders, and the very next year, they struck again by blacking out a small portion of Kyiv[9].
A look to the future
These situations largely avoided the worst potential consequences of cyber terrorism, can that be counted on forever? The truth is that all countries have vulnerable Industrial Control Systems (ICS) tied to critical infrastructure. The number of vulnerabilities disclosed in 2020 increased by 25% compared to the previous year, and this trend is only expected to continue[10].
There needs to be a national discussion about the prevention of cyber terrorism, as well as the contingency plans required just in case the worst happens. There can’t be a situation where a city’s electrical grid is so compromised that citizens are without power for a significant amount of time. Or where a threat actor successfully poison’s a town’s water supply. If society is not proactive about these scenarios, calamity is inevitable.
Securing data is our job
AXEL’s dedication to providing secure solutions for file sharing and storage is unparalleled. Our innovative, easy-to-use file-sharing platform, AXEL Go, protects your sensitive document from hackers and nosey corporations. Our engineers integrated blockchain technology, the InterPlanetary File System, and AES 256-bit encryption to ensure industry-leading privacy and safety. Download AXEL Go today for Windows, Mac, iOS, and Android to see how secure file sharing can be.
[1] Jack Evans, “Someone tried to poison the water supply of this Florida city in a hack, sheriff says”, The Miami Herald, Feb. 8, 2021, https://www.miamiherald.com/news/state/florida/article249110820.html
[2] Mahsa Saeidi, “FBI and Secret Service investigating Florida water hack”. News Nation, Feb. 9, 2021, https://www.newsnationnow.com/us-news/southeast/fbi-and-secret-service-investigating-florida-water-hack/
[3] Ionut Ilascu, “Hackers tried poisoning town after breaching its water facility”, Bleeping Computer, Feb. 8, 2021, https://www.bleepingcomputer.com/news/security/hackers-tried-poisoning-town-after-breaching-its-water-facility/
[4] ABC News, “Outdated computer system exploited in Florida water treatment plant hack”, ABC Columbia, Feb. 11, 2021, https://www.abccolumbia.com/2021/02/11/outdated-computer-system-exploited-in-florida-water-treatment-plant-hack/
[5] “Israel thwarted attack on water systems: cyber chief”, DW.com, May 28, 2020, https://www.dw.com/en/israel-thwarted-attack-on-water-systems-cyber-chief/a-53596796
[6] Associated Press, “Australia says an unnamed state is increasing cyberattacks on its infrastructure, businesses”, LA Times, June 19, 2020, https://www.latimes.com/world-nation/story/2020-06-19/australian-leader-says-unnamed-state-increasing-cyberattacks
[7] “China punishes Australia for promoting an inquiry into covid-19”, The Economist, May 23, 2020, https://www.economist.com/asia/2020/05/21/china-punishes-australia-for-promoting-an-inquiry-into-covid-19
[8] Jose A. Bernat, “Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid”, Wired, Mar. 3, 2016, https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/
[9] Andy Greenberg, “’Crash Override’: The Malware That Took Down a Power Grid”, Wired, June 12, 2017, https://www.wired.com/story/crash-override-malware/
[10] Eduard Kovacs, “Number of ICS Vulnerabilities Continued to Increase in 2020: Report”, Security Week, Feb. 4, 2021, https://www.securityweek.com/number-ics-vulnerabilities-continued-increase-2020-report