Surely everyone has been made aware of the recent 'hacker intrusion' at the Oldsmar, Florida water treatment facility. As some background, this is a small plant that sources water from a bore field and delivers potable water to around 15,000 households (and presumably some businesses as well, based on a cursory inspection on a mapping site).
Here's the basic scenario.
Early on the morning of Friday February 5th, the plant operator was watching the system management screen and noticed the mouse move - it wasn't him. Nothing else happened. Later that morning, they again saw the mouse move, and this time, the cursor was placed in the NaOH (Sodium Hydroxide) field and the one key was pressed twice at the front of the field.
The local Sherriff, Mayor and City Manager held a press conference where they insisted that the act was caught quickly and since the 'pipeline' from adding Sodium Hydroxide to the water to it reaching homes was at least a couple of days, and there were multiple testing points along that path, the public was never in danger.
Having worked in industrial control systems for around 13 years, MUCH of this reads like a beat-up to me.
It has been widely reported that the intruder made use of a TeamViewer client running on the control computer so that plant managers could check the status from outside the building (perhaps from home, who knows). This is stupid! Do they not trust the operators? Further, most SCADA (Supervisory Control And Data Acquisition) systems permit the configuration of read-only clients that will display system status, but cannot accept modifications. If all else fails, point a webcam at the screen and have the managers connect to that!
Having read widely on this topic and been privy to some 'off-the-record' discussions amongst SCADA security experts, here's what I can glean.
It seems that the TeamViewer access details had been posted on a 'compromised credentials' web site only a few days earlier and (I haven't checked but) I expect the site to also appear in the SHODAN database.
In most SCADA-based systems, key variables would be configured with range limits that the system would not be able to exceed. This is entirely normal practice when configuring a SCADA client.
As I see it, the intruder was probably little more than a 'script kiddie' who once gaining access, put the cursor in the NaOH field and bashed the '1' key a couple of times to see if he had read/write access. If he'd pressed 'enter' the change would almost certainly not have been written to the control system.
Note that (as mentioned in the preamble) this treatment plant draws its source water from a bore field, where the chemistry barely changes over a weeks-long timeframe - they could have shut the SCADA system down and allowed the PLCs etc to run with current value for weeks on end with no ill-effect to the quality of the water distributed to residents.
Overall, I'm not hugely bothered by this incident and I rather suspect it has been beaten up into something more than it needed to be to create a salutary lesson to other operators.
Your mileage may vary, of course.